Вы находитесь на странице: 1из 160

Table of Contents

Introduction 1 More information in more places than ever imagined Not everyone wants to let the whole world in Who is filtering or blocking the Internet? Filtering leads to monitoring When is it censorship? Who exactly is blocking my access to the Internet? What methods exist to bypass filtering? What are the risks of using circumvention tools?

1

1

2

2

2

3

3

3

About This Manual What is Sesawe? Authors

4

4

4

1. Register 4

2. Contribute! 5

3. Chat 5

4. Mailing List

5

Bypassing Internet Filtering

6

Circumvention Providers

6

Circumvention Users

6

Am I Being Blocked or Filtered?

7

Detection and Anonymity

8

An important warning

8

How the Internet Works

10

Connecting to the Internet

10

Visiting a Web site

10

Why This Matters

12

Who Controls the Net?

13

Government involvement

13

Why This Matters

13

Filtering Techniques 14 URL Filtering 14 DNS Filtering 14 IP Filtering 15 Port blocking 15

16

Why This Matters

Simple Tricks 17 Using third-party sites 17 Cached Pages 17 RSS Aggregators 17 Translators 18 Low-Bandwidth Filters 19 Using Alternative Domain Servers or Names 19 Alternate Domain Names 20 Alternative DNS Servers 20 Using e-mail services 20 Accessing web pages through e-mail 20

Table of Contents

Simple Tricks Using Web mail to share documents

21

Advantages and Risks

21

What is a Web Proxy?

22

Advantages and Risks

23

Using PHProxy 24

Where can I access PHProxy?

24

How does it work?

24

Advanced options

25

Using

psiphon 27

Connecting to a psiphon Proxy

27

Adding an SSL Exception

27

If you're concerned about privacy

28

Logging in to the Proxy

29

Browsing via the Proxy

29

Using psiphon 2

31

How to get a psiphon2 account

32

Use an invitation link to register

32

Accept the SSL error message

32

SSL-Error with Internet Explorer 6

32

SSL-Error with Internet Explorer 7

32

SSL-Error with Firefox 3

33

Create your own account

35

Use the psiphon2 node

37

Invite others 38

38

Send invitations 39

40

Use Psimail 41 Send messages 41 Read Messages 42 More resources 43

Report a blocked website

Invite a user

Web Proxy Risks

44

Lack of Privacy

44

Advertising, viruses and malware

44

Cookies and scripts

45

The proxy operator can see everything

45

Advanced Background 46

Ports and Protocols

46

The layered networking model

46

Advanced Filtering Techniques

47

TCP/IP Header Filtering

47

Port

TCP/IP Content Filtering DNS Tampering

HTTP Proxy Filtering

48Blocking

48

47

49

49

Table of Contents

Advanced Background

Hybrid TCP/IP and HTTP Proxy

49

Denial of Service

49

Domain Deregistration 50

Server Takedown

Surveillance 50 Cryptography 50

50

Social Techniques

51

What Is A HTTP Proxy?

52

Good proxies and bad proxies

52

Proxies that restrict access

52

Proxies for circumvention

52

Where to find an application proxy

52

HTTP Proxy settings

52

Microsoft Internet Explorer

56

Pidgin Instant Messaging Client

58

When you're done with the proxy

60

Installing SwitchProxy

61

Using Switch Proxy

64

SwitchProxy configuration 64

Adding a Basic Proxy

65

Standard Proxy Settings

66

Adding a list of proxies for automated switching

67

Using SwitchProxy 69

Disadvantages and Risks

70

Tor - The Onion Router

71

What do I need to use the Tor network?

71

With what software is Tor compatible?

71

Advantages and Risks

72

Using Tor Browser Bundle

73

Downloading Tor Browser Bundle

73

Installing from a single file

73

Installing from split files

74

Using Tor Browser

76

Browsing the Web using Tor Browser

77

If this does not work

77

Alternatives 78

Using Tor IM Browser Bundle

79

Download Tor IM Browser Bundle

79

Auto-extract the archive

80

Using Tor IM Browser Bundle

81

Set up your IM account in Pidgin

82

If this does not work

82

82

Exit Tor IM Browser

83

Table of Contents

Using Tor with Bridges

85

What is a bridge?

85

Where do I find bridges?

85

Turn on bridging and enter bridge information

86

About JonDo 88

Installation 88

Configuration and Usage

88

What are VPN and Tunneling?

92

Tunneling 92 VPN 93 Advantages 94 Disadvantages and Risks 94

Using

OpenVPN 95

95

Client 95

Tips for setting up OpenVPN

Server

95

Advantages and Risks

96

SSH Tunnelling 97

Linux/Unix and MacOS command-line (with OpenSSH)

97

Windows graphical user interface (with PuTTY)

98

Host key verification

100

Configuring applications to use the proxy

100

Using Socks Proxies

101

Configuring Your Applications

101

Mozilla Firefox 102

Microsoft Internet Explorer

104

Configuring a SOCKS proxy for other applications

106

When you're done with the proxy

108

DNS leaks 108

Installing a Web Proxy

110

Installing PHProxy

111

Installing psiphon

113

115

Setting up a Tor Bridge

115

What do I need to run a relay or a bridge relay?

115

Downloading Tor 115

Installing Tor

116

Configuring Tor to be a bridge

117

Sharing your bridge with friends

119

Risks of Operating a Proxy

120

Risks of operating a non-public proxy

120

Risks of operating a Tor node (Tor relay)

120

Data retention laws might regulate proxy operation

121

Table of Contents

Resources

122

Manuals and guides

122

Circumventing Internet censorship

122

Computer security advice for activists

122

Studies on Internet Censorship

122

Organizations that work on documenting, fighting or circumventing Internet restrictions

122

Open Web proxies and application proxies

123

Circumvention solutions and service operators

123

A list of commercial VPN providers

123

124

124Socksification

softwares

Glossary 125

aggregator

125

anonymity

125

anonymous remailer 125 ASP (application service provider) 125 backbone 125 badware 125 bandwidth 125 bash (Bourne-again shell) 126 BitTorrent 126 blacklist 126 block 126 bookmark 126 bridge 126 cache 126 censor 126 censorware 126 CGI (Common Gateway Interface) 127 chat 127 circumvention 127 Common Gateway Interface 127 command-line interface 127 cookie 127 country code top-level domain (ccTLD) 127

DARPA (Defense Advanced Projects Research Agency) 127 decryption 127 domain 128 DNS (Domain Name System) 128 DNS leak 128 DNS server 128 DNS tunnel 128 eavesdropping 128 e-mail 129 encryption 129 exit node 129

sharing 129

file

file spreading engine 129 filter 129 Firefox 129 forum 129 frame 130 FTP (File Transfer Protocol) 130 gateway 130

Table of Contents

Glossary honeypot 130 hop 130 HTTP (Hypertext Transfer Protocol) 130 HTTPS (Secure HTTP) 130 IANA (Internet Assigned Numbers Authority) 130 ICANN (Internet Corporation for Assigned Names and Numbers) 131 Instant Messaging (IM) 131 intermediary 131 Internet 131 IP (Internet Protocol) Address 131 IRC (Internet relay chat) 131 ISP (Internet Service Provider) 131 Javascript 131 keyword filter 131 log file 131 low-bandwidth filter 132 malware 132 man in the middle 132 middleman node 132 monitor 132 network address translation (NAT) 132 network operator 132 node 132 non-exit node 133 obfuscation 133 packet 133 peer-to-peer 133 PHP 133 plain text 133 plaintext 133 privacy 133 POP3 134 port 134 protocol 134 proxy server 134 publicly routable IP address 134 regular expression 134 remailer 134 router 135 root name server 135 RSS (Real Simple Syndication) 135 scheme 135 shell 135 SOCKS 135 script 135 spam 135 SSH (Secure Shell) 136 SSL (Secure Sockets Layer) 136 steganography 136 threat analysis 136 Top-Level Domain (TLD) 136 TLS (Transport Layer Security) 136 TCP/IP (Transmission Control Protocol over Internet Protocol) 136

Table of Contents

Glossary Tor bridge 137 traffic analysis 137 tunnel 137 UDP (User Datagram Packet) 137 URL (Uniform Resource Locator) 137 Usenet 137 VoIP (Voice over Internet Protocol) 137 VPN (virtual private network) 137 whitelist 138 World Wide Web (WWW) 138 Webmail 138 Web proxy 138

License

139

Authors

140

General Public License

148

Introduction

On 10 December 1948, the adoption by the General Assembly of the Universal Declaration of Human Rights launched a new era. Lebanese scholar Charles Habib Malik described it to the assembled delegates as follows:

Every member of the United Nations has solemnly pledged itself to achieve respect for and observance of human rights. But, precisely what these rights are we were never told before, either in the Charter or in any other national instrument. This is the first time the principles of human rights and fundamental freedoms are spelled out authoritatively and in precise detail. I now know what my government pledged itself to promote, achieve, and observe. â ¦ I can agitate against my government, and if she does not fulfill her pledge, I shall have and feel the moral support of the entire world.

One of the fundamental rights the Universal Declaration described, in Article 19, was the right to freedom of speech:

Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive, and impart information and ideas through any media and regardless of frontiers.

When those words were written sixty years ago, no one imagined how the global phenomenon of the Internet would expand people's ability to "seek, receive and impart information", not only across borders but at amazing speeds and in forms that can be copied, edited, manipulated, recombined and shared with small or large audiences in ways fundamentally different than the communications media available in 1948.

More information in more places than ever imagined

The unbelievable growth in the past several years of what is on the Internet and where it is available has the effect of making an unimaginably vast portion of human knowledge and activity suddenly present in unexpected places: the hospital in a remote mountain village, your 12-year-old's bedroom, the conference room where you are showing your closest colleagues the new product design that will put you ahead of the competition, your grandmother's house.

In all of these places, the possibility of connecting to the world opens up many wonderful opportunities for improving people's lives. When you contract a rare disease on vacation, the remote village hospital may save your life by sending your test results to a medical specialist in the capital, or even another country; your 12-year-old can research her school project or make friends with kids in other countries; you can present your new product design simultaneously to top managers in offices around the world, who can help you improve it; your grandmother can send you her special apple pie recipe by e-mail in time for you to bake it for dessert tonight.

But the Internet does not contain only relevant and helpful educational information, friendship and apple pie. Like the world itself, it is vast, complex and often scary. It is just as available to people who are malicious, greedy, unscrupulous, dishonest or merely rude as it is to you and your 12-year-old child and your grandmother.

Not everyone wants to let the whole world in

With all of the best and worst of human nature reflected on the Internet and certain kinds of deception and harassment made much easier by the technology, it should not surprise anyone that the growth of the Internet has been paralleled by attempts to control how people use it. There are many different motivations for these attempts. The goals include:

Protecting children from material perceived as inappropriate, or limiting their contact with people who may harm them.

Reducing the barrage of unwanted commercial offers by e-mail or on the Web.

Controlling the size of the flow of data any one user is able to access at one time.

Preventing employees from sharing information that is viewed as the property of their employer, or from using their work time or an employer's technical resources on personal activities.

Restricting access to materials or online activities that are banned or regulated in a specific jurisdiction, which could be a country or an organization like a school -- explicit sexual or violent materials, drugs or alcohol, gambling and prostitution, and information about religious, political or other groups or ideas that are deemed to be dangerous.

Some of these concerns involve allowing people to control their own experience of the Internet (for instance, letting people use spam-filtering tools to prevent spam from being delivered to their own e-mail accounts), but others involve restricting how other people can use the Internet and what those other people can and can't access. The latter case causes significant conflicts and disagreements when the people whose access is restricted don't agree that the blocking is appropriate or in their interest.

Who is filtering or blocking the Internet?

The kinds of people and institutions who try to restrict the Internet use of specific people are as varied as their goals. They include parents, schools, commercial companies, operators of Internet cafés or Internet Service Providers, and governments at different levels.

The extreme end of the spectrum of Internet control is when a national government attempts to restrict the ability of its entire population to use the Internet to access whole categories of information or to share information freely with the outside world. Research by the OpenNet Initiative (http://opennet.net/) has documented the many ways that countries filter and block Internet access for their citizens. These include countries with pervasive filtering policies, who have been found to routinely block access to human rights organizations, news, blogs, and Web services that challenge the status quo or are deemed threatening or undesirable. Others block access to single categories of Internet content, or intermittently to specific websites or network services to coincide with strategic events, such as elections or public demonstrations. Even countries with generally strong protections for free speech sometimes try to limit or monitor Internet use in connection with suppressing pornography, so-called "hate speech", terrorism and other criminal activities, or the infringement of copyright laws.

Filtering leads to monitoring

Any of these official or private groups may also use various techniques to monitor Internet activity of the people they are concerned about to make sure that their attempts at restriction are working. This ranges from parents looking over their child's shoulder or looking at what sites were visited on the child's computer to companies monitoring employees' e-mail to law enforcement agencies demanding information from Internet Service Providers or even seizing the computer in your home looking for evidence that you have engaged in "undesirable" activities.

When is it censorship?

Depending on who is restricting access to the Internet and/or monitoring its use, and the perspective of the person whose access is being restricted, nearly any of these goals and any of the methods used to achieve them may be seen as legitimate and necessary or as unacceptable censorship and a violation of fundamental human rights. A teenaged boy whose school blocks access to his favorite online games or to social networks like MySpace feels his personal freedom to be abridged just as much as someone whose government prevents him from reading an online newspaper about the political opposition.

Who exactly is blocking my access to the Internet?

Who is able to restrict access to the Internet on any given computer in any given country depends on who has the ability to control specific parts of the technical infrastructure. This control may be based on legally established relationships or requirements or on the ability of governmental or other bodies to pressure those who have legal control over the technical infrastructure to comply with requests to block, filter or collect information. Many parts of the international infrastructure that supports the Internet are under the control of governments or government-controlled agencies, any of which may assert control, in accordance with local law or not.

Filtering or blocking of parts of the Internet may be heavy-handed or very light, clearly defined or nearly invisible. Some countries openly admit to blocking and publish blocking criteria, as well as replacing blocked sites with explanatory messages. Other countries have no clear standards and sometimes rely on informal understandings and uncertainty to pressure ISPs to filter. In some places, filtering comes disguised as technical failures and governments don't openly take responsibility or confirm when blocking is deliberate. Different network operators even in the same country and subject to the same regulations may execute filtering in quite different ways out of caution or technical ignorance.

At all levels of possible filtering, from individual to national, the technical difficulties of blocking precisely what is viewed as undesirable may have unexpected and often ridiculous consequences. "Family-friendly" filters meant to block sexual materials prevent access to useful health information. Attempts to block spam may filter out important business correspondence. Attempts to block access to specific news sites may also cut off valuable educational resources.

What methods exist to bypass filtering?

Just as many individuals, corporations and governments see the Internet as a source of dangerous information that must be controlled, there are many individuals and groups who are working hard to ensure that the Internet, and the information on it, are freely available to everyone who wants it. These people have as many different motivations as those seeking to control the Internet. However, for someone whose Internet access is restricted and who wants to do something about it, it may not matter whether the tools were developed by someone who wanted to chat with a girlfriend, write a political manifesto, or send spam.

There is a vast amount of energy, from commercial, non-profit and volunteer groups, devoted to creating tools and techniques to bypass Internet censorship. Some techniques require no special software, just a knowledge of where to look for the same information. Programmers have developed a variety of more capable tools, which address different types of filtering and blocking. These tools, often called "circumvention tools" help Internet users access information that they might not otherwise be able to see.

What are the risks of using circumvention tools?

Only you, the person who hopes to bypass restrictions on your Internet access, can decide whether there are significant risks involved in accessing the information you want. And only you can decide whether the benefits outweigh the risks. There may be no law specifically banning the information you want or the act of accessing it. On the other hand, the lack of legal sanctions does not mean you are not risking other consequences, such as harassment or losing your job.

About This Manual

This manual 'Bypassing Internet Censorship' provides an introduction to the topic and explains some of the software and methods most often used for circumventing censorship. There is some information on avoiding surveillance and other means of detection while bypassing censorship, however this is a large topic by itself so we have only touched on it where it coincides directly with issues of circumvention.

A full discussion of techniques for maintaining anonymity and preventing detection of content or activities is

beyond the scope of this book.

This manual was written in partnership with the Sesawe coallition.

What is Sesawe?

Sesawe is an international consortium working to support uncensored access to the Internet. It includes software developers as well as organizations and individuals who share a belief in the need for an open Internet. They include academic research centers, think tanks, nonprofit organizations working on media issues and advocacy groups, as well as dozens of individuals who share these goals. Sesawe is not an organization, it is a gathering place to share information and related resources. Partner organizations are independently managed and financed, and responsible for their own activities.

and financed, and responsible for their own activities. Visit the website at https://www.sesawe.net Authors This

Visit the website at https://www.sesawe.net

Authors

This manual has content that was largely written at a Book Sprint. The Book Sprint was held in the beautiful hills of Upper New York State in the US. Eight people worked together over an intensive five-day period to produce the book. It is a living document of course and is available online for free, where you can also edit it and improve it.

In addition to the material written at the Book Sprint, material has been contributed from previous

publications. These include contributions from:

Ronald Deibert

Ethan Zuckerman

Nart Villeneuve

Steven Murdoch

Ross Anderson

Freerk Ohling

Frontline Defenders

These writers kindly agreed to let us use their material within a GPL licensed environment.

This manual has been written within FLOSS Manuals. To improve this manual follow these steps:

1. Register

Register at FLOSS Manuals:

2. Contribute!

Select the manual (http://en.flossmanuals.net/bin/view/CircumventionTools) and a chapter to work on.

If you need to ask us questions about how to contribute then join the chat room listed below and ask us! We look forward to your contribution!

For more information on using FLOSS Manuals you may also wish to read our manual:

3. Chat

It's a good idea to talk with us so we can help co-ordinate all contributions. We have a chat room for this using Internet Relay Chat (IRC). If you know how to use IRC you can connect to the following:

server: irc.freenode.net channel: #booksprint

If you do not know how to use IRC then visit the following web based chat software in your browser:

Information on how to use this web based chat software is here:

4. Mailing List

For discussing all things about FLOSS Manuals join our mailing list:

Bypassing Internet Filtering

There are a number of methods to bypass Internet filters, including software tools and protected pathways. Collectively, these are called circumvention methods and can range from simple work-arounds to complex computer programs. For instance, sometimes it is possible to access a banned Web site just by opening a copy that has been cached by a search engine, instead of trying to access it directly.

by a search engine, instead of trying to access it directly. Circumvention Providers Circumvention providers are

Circumvention Providers

Circumvention providers are individuals or organizations that provide methods for avoiding filters on the Internet. They can be large commercial organizations that offer circumvention services for a fee or individuals or organizations that provide circumvention services for free. Circumvention providers often install software on a computer in a non-filtered location and then make connections to this computer available to those who access the Internet from a blocked location.

Circumvention Users

Circumvention users are individuals or organizations that bypass Internet filtering using circumvention technologies and usually include people who wish to access or send information from restricted locations. For instance, many Internet users want to protect their identities or activities out of a personal desire for privacy. They may also wish to avoid repercussions from authorities who restrict Internet access -- whether a disapproving parent, an employer, a copyright holder, law enforcement or a government censor.

Am I Being Blocked or Filtered?

In many countries, it is no secret that government censorship of the Internet exists, as documented in the book Access Denied: The Practice and Policy of Global Internet Filtering, edited by Ronald Delbert, John Palfrey, Rafal Rohozinski, and Jonathan Zittrain (http://opennet.net/accessdenied). When a popular site is widely blocked, that fact tends to become widely known within the country.

But, in general, determining whether someone is preventing you from accessing a Web site or from sending

information to others can be difficult. When you try to access a blocked site, you may see a conventional error

message or nothing at all

the behavior may look like the site is inaccessible for technical reasons.

Some organizations, most notably the OpenNet Initiative (http://opennet.net), are using software to test Internet access in various countries and to understand how access may be compromised by different parties. In some cases, this is a difficult or even dangerous task, depending on the authorities concerned.

In some countries, there is no doubt about government blocking of parts of the Internet. In Saudi Arabia, attempting to access pornography results in a message from the government explaining that the site is blocked, and why. In countries that block without notification, one of the commonest signs of censorship is that a large number of sites with related content are inaccessible for long periods of time, except perhaps when they take countermeasures such as moving to a new domain. Another is that search engines return useless results or nothing at all about certain topics. These may be related to pornography, gambling, drugs (including alcohol) or other illegal activities or to political or religious movements deemed dangerous (for example, neo-Nazi sites blocked in Germany).

Filtering or blocking is also done for a variety of reasons that have little to do with politics. Parents may filter the information that reaches their children. Many organizations, from schools to commercial companies to the US military, restrict Internet access in order to prevent users from having unmonitored communications, using company time or hardware for personal reasons, infringing copyrights, or using excessive networking resources.

Detection and Anonymity

The tools to defeat Internet blocking, filtering and monitoring are designed to deal with different obstacles and threats. These tools can improve access to information and people, as well as mitigate risks associated with that access. Different tools may facilitate:

Circumventing censorship: Reading or authoring documents or other kinds of content, sending or receiving information, or communicating with particular people, sites or services while bypassing attempts to prevent you from doing so. For example, reading a page from a Google cache or an RSS aggregator rather than from the original Web site.

Preventing eavesdropping: Keeping communications private, so that nobody can see or hear the content of what you're communicating. (However, they might still be able to see with whom you're communicating!) Tools that try to circumvent censorship without also preventing eavesdropping may remain vulnerable to censorship by keyword filters that block all communications containing certain prohibited words. For example, various forms of encryption, such as https or SSH, make the information unreadable to anyone other than the sender and receiver.

Remaining anonymous: The ability to communicate so that no one can connect you to the information or people you are connecting with â neither the operator of your Internet connection nor the sites or people you're communicating with. For example, anonymous remailers and some proxy services, such as Tor (when certain anonymity precautions are taken), provide this service.

Concealing what you are doing: Disguising the communications you send so that someone spying on you will not be able to tell that you are trying to circumvent censorship. For example, steganography, the hiding of text messages within an ordinary image file, may conceal that you are using a circumvention tool at all.

Some tools protect your communications in only one of these ways. For example, many proxies can circumvent censorship but don't prevent eavesdropping â they let you view a blocked site, but may not prevent someone from monitoring what you are reading. It's important to understand that you may need a combination of tools to achieve your goal.

Each kind of protection is relevant to different people in different situations. When you choose tools that bypass Internet censorship, you should keep in mind what kind of protection you need and whether the particular set of tools you're using can provide that sort of protection. For example, what will happen if someone detects that you are attempting to circumvent a censorship system? Is it important to you to conceal exactly what you're reading and writing about, or do you just want to get access to a particular site or service?

Sometimes, one tool can be used to defeat censorship and protect anonymity, but the steps for each are different. For instance, Tor software is commonly used for both purposes, but Tor users who are most concerned with one or the other will use Tor differently.

An important warning

Most circumvention tools can be detected with sufficient effort by network operators or government agencies, since the traffic they generate may show distinctive patterns. This is certainly true for circumvention methods that don't use encryption, but it can also be true for methods that do use encryption. It's very difficult to keep secret the fact that you're using technology to circumvent filtering, especially if you use a fairly popular technique or continue using the same service or method for a long period of time. Also, there are ways to discover your behavior that do not rely on technology: in-person observation, surveillance, or many other forms of traditional human information-gathering.

FLOSS Manuals cannot provide specific advice on threat analysis or the choice of tools to meet the threats. The risks are different in each situation, and change frequently. You should always expect that those attempting to restrict communications or activities will continue to improve their methods.

If you are doing something that may put you at risk in the location where you are, you should make your own judgments about your security and (if possible) consult experts:

If you select a method that requires reliance on a stranger, be careful to do what you can to ensure you can trust that person.

Remember that the promises of anonymity and security made by different systems may not be accurate. Look for independent confirmation.

Achieving anonymity or security may require you to be disciplined and carefully obey certain security procedures and practices. Ignoring security procedures may dramatically reduce the security protections you receive.

Be aware that people (or governments) may set up honeypots -- fake Web sites that pretend to offer secure communication but actually capture the communications from unwitting users.

Pay attention to non-technical threats. What happens if someone steals your computer or mobile phone or those of your best friend? What if an Internet café staff person looks over your shoulder? What happens if someone sits down at a computer in a café somewhere where your friend has forgotten to log out and sends you a message pretending to be from her?

If there are laws or regulations that restrict or prohibit the materials you are accessing or the activities you are undertaking, be aware of the possible consequences.

To learn more about digital security and privacy, read:

How the Internet Works

The Internet is a decentralized worldwide network of computer networks. Although many people use the terms "the Internet" and "the Web" interchangeably, the Internet is the physical connection of computer networks together with certain methods of communication. The Web is one of many ways of communicating using the Internet. You can also use the Internet for e-mail, file sharing, Usenet news, and chat.

Connecting to the Internet

The easiest way to use the Web is often to find a local Internet café or telecenter that provides Web access. If you need to set up our own computer with an Internet connection, you would, typically, open an account with an Internet Service Provider (ISP). You may need some extra equipment, such as a modem or a router, to enable your computer to connect with the ISP.

The ISP in turn may purchase its own Internet access from a national provider (unless it is a branch of a national provider). National providers may similarly receive their connection from one of the multinational companies that maintain and operate the servers and connections that are called the backbone of the Internet. The backbone is made up of major server installations at critical points, and global connections between them via fiber optic cables and satellites. These connections enable communications between Internet users in different countries and continents. National and international providers connect to this backbone through special routers known as gateways, which are connections that allow one network to communicate with another. Gateways, just like other routers, may be a point at which Internet traffic is monitored or controlled.

When you connect to the Internet, your computer is normally assigned a numeric IP address, which can be written as four numbers in the range 0-255, separated by dots. Like a postal address, it uniquely identifies a single computer on the Internet. Depending on your Internet Service Provider, your computer may be assigned different IP addresses at different times that it connects to them. All Web sites and Web servers also have IP addresses. For example, the IP address of www.frontlinedefenders.org is 217.173.101.253.

Visiting a Web site

When you want to visit a Web site, you normally type the "name" of the Web site into your browser and not the IP address. For example, to access the Frontline Web site you would type in http://www.frontlinedefenders.org instead of 217.173.101.253. The name of the Web site is also called the domain or domain name.

After you type the domain name into the browser, your computer sends a message with this name to the Domain Name System (DNS). This system consists of dedicated computers on the Internet that translate names into IP addresses. The DNS means that you need to remember only the Web site's name rather than a complex string of numbers. After the DNS server translates the domain name into an IP address, it shares that information with your computer.

Now your computer can try to connect to the Web site using its IP address. A path from your computer to the destination Web site must be found. This path may travel through countries, oceans and space; it could be thousands of miles long and could pass through numerous computers. How does it know which way to go, when there are hundreds of millions of different Web sites? The task of directing your message to the Web site (and back) is performed by routers, and the process is known as routing.

For our purposes, it's worth noting that routers can be given simple instructions on how to behave and can be used as a tool for censorship. Any router can be manipulated to record, re-direct, or block access to certain Web sites.

Example of what happens when you find a Web page: 1. You type in http://globalvoicesonline.org/

Example of what happens when you find a Web page:

1. You type in http://globalvoicesonline.org/. The computer sends the domain name to a selected DNS server (using its numeric address), which sends a message back, containing the IP address for the Global Voices Web site.

2. The browser then sends a request for a connection to that IP address.

3. The request goes through a series of routers until it reaches a router that finds the specific computer needed.

4. This computer sends information back to you, allowing your browser to send the full URL and receive the data to display the page.

Every connection between computers or routers that a message goes through is called a hop. The number of hops is the number of computers or routers your message comes in contact with along its way. Below is a sample path taken by a computer to get to www.globalvoicesonline.org. This request passes through at least fourteen computer connections (hops) before reaching its destination.

traceroute to globalvoicesonline.org (72.249.186.50), 64 hops max, 40 byte packets

1 192.168.1.1 (192.168.1.1) 2.425 ms 0.673 ms 0.637 ms

2 192.168.15.1 (192.168.15.1) 3.824 ms 1.068 ms 1.139 ms

3 10.92.32.1 (10.92.32.1) 10.712 ms 9.581 ms 98.359 ms

4 gig-5-3-lbrtnymtn-rtr1.hvc.rr.com (24.164.160.173) 10.720 ms 10.774 ms 11.147 ms

5 pos-3-1-nycmnya-rtr1.nyc.rr.com (24.164.160.78) 12.533 ms 12.042 ms 11.206 ms

6 tenge-0-3-0-nwrknjmd-rtr.nyc.rr.com (24.29.97.6) 12.456 ms 13.922 ms 13.821 ms

7 ae-4-0.cr0.nyc30.tbone.rr.com (66.109.6.78) 15.844 ms 22.984 ms 14.024 ms

8 ae-1-0.pr0.nyc20.tbone.rr.com (66.109.6.163) 14.605 ms 14.592 ms 43.455 ms

9 207.88.182.73.ptr.us.xo.net (207.88.182.73) 14.707 ms 14.437 ms 22.936 ms

10 te-4-0-0.rar3.nyc-ny.us.xo.net (207.88.12.26) 24.168 ms 16.683 ms 16.947 ms

11 207.88.14.9.ptr.us.xo.net (207.88.14.9) 45.446 ms 45.360 ms 46.136 ms

12 207.88.14.10.ptr.us.xo.net (207.88.14.10) 70.949 ms 69.782 ms 70.112 ms

13 207.88.185.38.ptr.us.xo.net (207.88.185.38) 70.162 ms 73.824 ms 73.137 ms

14 switch19.rimuhosting.com (65.99.204.18) 70.630 ms 70.344 ms 70.264 ms

15 server1.globalvoicesonline.org (72.249.186.50) 72.347 ms 72.747 ms 74.179 ms

Destination reached!

If you have used the Internet, you know that normally all of these complex processes

If you have used the Internet, you know that normally all of these complex processes are hidden and you don't need to understand them in order to find the information you need. However, when people or organizations attempting to limit your access to information interfere with the operation of the system, your ability to use the Internet may be restricted.

Why This Matters

Censorship can occur at different points in the Internet infrastructure, covering whole domains or subdomains, individual protocols, or specific content identified by filtering software. The best method to avoid censorship will depend on the specific censorship technique used. You may need to understand these differences in order to use the appropriate measures to use the Internet effectively and safely.

Who Controls the Net?

The full story of Internet governance is complicated, political and still being actively disputed. This text is meant to provide enough details to help you understand how certain aspects of the system affect particular methods of restricting access. The key point is that, in some countries, all Internet infrastructure is owned and operated by governments and large regulated telephone companies. A government that wants to block access to information can exercise direct or indirect control over points where that information is produced, or where it enters or exits the country. Governments have extensive legal authority to spy on citizens, and many also go behind what the law allows, using extra-legal methods to monitor or restrict Internet use.

Government involvement

The Internet was developed by U.S. government-sponsored research during the 1970s. It gradually spread to academic use, then business and public use. Today, there is a global community of people working to maintain the standards and agreements that attempt to achieve worldwide open connectivity and interoperability.

However, governments are not compelled to implement Internet infrastructure in accordance with these goals or related recommendations about Internet architecture. They can, and some do, design their national telecommunications systems to have single "choke points", places where they can control their whole country's access to specific sites and services, and in some cases prevent access to their section of the Internet from outside. Other governments have passed laws or adopted informal controls to regulate the behavior of private Internet service providers, sometimes compelling them to participate in surveillance or blocking or removing access to particular materials.

Some of the Internet's facilities and coordinating functions are managed by governments or by corporations under government charter. There is no international Internet governance that operates entirely independent from national governments. Governments treat the ability to control Internet and telecommunications infrastructure as matters of national sovereignty, and many have asserted the right to forbid or block access to certain kinds of content and services deemed offensive or dangerous.

Why This Matters

It is important to understand Internet governance in order to relate the sources of Internet censorship to the possible threats. A national government might not only block access to content, but might monitor what information people in its country access, and might penalize users for Internet-related activities that the government deems unacceptable. Governments may both define what to block and may carry out the blocking, or may create legislation, regulations, or extra-legal forces to compel the staff of nominally independent companies to carry out blocking and surveillance. Therefore, depending on a user's situation, attempting to circumvent online censorship can have damaging real-world consequences. When user safety is involved, understanding how Internet is (and is not) controlled is critical.

Filtering Techniques

Internet filtering is a set of techniques that censors use to try to prevent Internet users from accessing particular content or services. Network operators can filter at any point in a network, using a wide variety of technologies, with varying levels of accuracy and customizability. Typically, filtering involves using software to look at what users are attempting to do and to selectively interfere with activities that the operator considers forbidden by policy. A filter could be created and applied by a national government or by a national or local Internet access provider.

There are four common sorts of filtering you should be aware of.

URL Filtering

One way for countries and other entities to block access to information on the Web is to prevent access based on the URL -- either the entire URL or some part of it. Internet censors often want to block specific Web domains in their entirety, because they object to the content of those domains. They can block domains either by name or IP number. Sometimes, authorities are more selective, blocking only certain subdomains in a particular domain, while leaving the rest of the domain accessible. For example, they might filter only the subdomain news.bbc.co.uk, while leaving bbc.co.uk and www.bbc.co.uk unfiltered. Similarly, they might want to filter out specific types of content, even if they allow access to the rest of the domain hosting those pages. One way is to look for a directory name, such as "worldservice" to block out BBC foreign language news at bbc.co.uk/worldservice, without affecting the English language Web site. They can even block specific pages based on page names, or search terms in queries, that suggest offensive or undesired content.

DNS Filtering

When people use the Internet to communicate, they generally use domain names such as "somewebsite.com" rather than numeric IP addresses, particularly for Web browsing. However, when computers communicate over the Internet, they require numeric addresses for navigating. When you enter a domain name in a Web browser, the first thing the Web browser does is to ask a DNS (Domain Name System) server, at a known numeric address, to look up the domain name and supply the corresponding IP address.

up the domain name and supply the corresponding IP address. If the DNS server is configured

If the DNS server is configured to block access, it consults a blacklist of banned domain names. When a browser requests the IP address for one of these domain names, the DNS server gives a wrong answer or no answer at all.

Without the IP address, the requesting computer cannot continue, and displays an error message. Since

Without the IP address, the requesting computer cannot continue, and displays an error message. Since the browser does not get the Web site's IP address, it is not able to contact the site to request a page. The result is to block all pages under a domain name.

Alternatives for circumventing DNS filtering are:

Access the desired content from another site with a different domain name.

Asking a different DNS server for the address. This can be done for a single domain or permanently by using a free DNS server or running your own DNS server.

Finding the numeric address published somewhere.

Send the query through a different site that is not blocked. E.g, a web proxy or the cache of a search engine.

IP Filtering

When data is sent over the Internet, it is divided into segments and put into packets. A packet contains both the data being sent, and information about how to send it, such as the IP addresses of the computer it came from and the one it should go to. Routers are computers that packets pass through on their way from a sender to a receiver, in order to determine where to go next. If censors wants to prevent users from accessing specific servers, they can configure routers that they control to "drop" (not transmit) data destined for IP addresses on a blacklist or to return an error message for them. Filtering based solely on IP addresses blocks all services provided by a particular server, such as both Web sites and e-mail servers. Since only the IP address is inspected, multiple domain names that share the same IP address are also blocked, even if only one is prohibited.

To circumvent IP filtering, it may be possible to access the desired content elsewhere, or to route requests through sites not subject to blocking.

Port blocking

Ports are like numbered doors in a building, each leading to a different room or suite. On a computer, ports are also numbered: the well-known standard port numbers are from 0 to 1024, but others can go up to 65535. Each numbered port normally offers a specific service (for example, web access or e-mail) on a server or PC. When one computer requests access to a particular type of service on another computer, it specifies a port number for the request. The computer providing the service "listens" for requests that use a particular port number.

Blacklisting individual port numbers restricts access to individual services on a server, such as Web or e-mail. Common services on the Internet have characteristic port numbers. The relationships between services and port numbers are assigned by IANA, but are not mandatory. These assignments allow routers to make a guess

as to the service being accessed. Thus, to block just the web traffic to a site, a censor might block only port 80, because that is the port typically used for web access.

The most direct method for circumventing port blocking is to use non-standard ports to provide standard services. Users must have some system knowledge to take advantage of this, in order to configure Web browsers or e-mail clients to use the non-standard ports. Other methods of accessing the content include accessing the same or similar services on other cooperating servers, or accessing the blocked servers through a non-blocked location.

Why This Matters

These censorship techniques depend on the working of different parts of the Internet structure described above. You should have some understanding of whichever of them applies in your situation. If you wish to create an unblocked server outside the location doing the blocking, you will need more detailed information.

Simple Tricks

There are a number of techniques to get past Internet filtering. If your aim is simply to reach pages or services on the Internet that are blocked from your location, and you are not concerned whether other people can detect and monitor your circumvention, these techniques may be all you need:

Using third-party Web sites to reach blocked content.

Using alternative domain names (or domain name servers) to reach blocked content.

Using e-mail gateways to retrieve blocked Web pages over e-mail.

Using third-party sites

There are a number of different ways you can reach the content on a Web page by going through a third-party web site rather than directly to the source web site.

web site rather than directly to the source web site. Cached Pages Many search engines keep

Cached Pages

Many search engines keep copies of Web pages they have previously indexed, called cached pages. When searching for a Web site, look for a small link labeled "cached" next to your search results. Since you are retrieving a copy of the blocked page from the search engine's servers, and not from the blocked Web site itself, you may be able to access the blocked content. However, some countries have targeted caching services for blocking, as well.

have targeted caching services for blocking, as well. RSS Aggregators RSS aggregators are Web sites that

RSS Aggregators

RSS aggregators are Web sites that allow you to subscribe to and read RSS feeds, which are streams of news or other information put out by sites you have chosen. (RSS stands for "Really Simple Syndication"; for more on how to use it, see http://rssexplained.blogspot.com/.) An RSS aggregator connects to Web sites, downloads

the feeds that you have selected, and displays them. Since it is the aggregator connecting to the Web sites, and not you, you may be able to access sites that would otherwise be blocked. This technique works only for Web sites that publish RSS feeds of their content, of course, and therefore is most useful for blogs and news sites. There are a lot of free, online RSS aggregators available. Some of the most popular ones include Google Reader (http://reader.google.com) and Bloglines (http://www.bloglines.com).

Below is an example of Google Reader displaying the news:

). Below is an example of Google Reader displaying the news: Translators There are many language

Translators

There are many language translation services available on the Internet, often provided by search engines. If you access a Web site through a translation service, the translation service is accessing the blocked site, not you. This allows you to read the blocked content translated into a number of different languages.

You can use the translation service to bypass blocking, even if you don't actually need to translate the text. You do this by choosing translation from a language that does not appear on the original Web site back to the original language. For example, to use a translation service to view an English-language Web site, choose translation from Chinese to English. The translation service translates only the Chinese sections (there are none), and leaves the English sections (which is the whole Web page) untranslated.

Popular translation services include http://babelfish.yahoo.com/ and http://translate.google.com/.

The example below illustrates the three steps necessary to view a page in Babelfish. First, enter the URL of the Web site you wish to visit:

First, enter the URL of the Web site you wish to visit: Next, choose the language

Next, choose the language you wish to read the Web site in. In this example, we tell Babelfish to translate from Korean to English. Since there is no Korean text, the page will remain untranslated.

When you have chosen the language, click "Translate" and the page displays. Low-Bandwidth Filters Low-bandwidth

When you have chosen the language, click "Translate" and the page displays.

language, click "Translate" and the page displays. Low-Bandwidth Filters Low-bandwidth filters are Web

Low-Bandwidth Filters

Low-bandwidth filters are Web services designed to make browsing the Web easier in places where connection speeds are slow. They remove or reduce images, remove advertisements, and otherwise compress the Web site to make it use less data, so it downloads faster. But, as with translation and aggregation services, you can also use low-bandwidth filters to bypass simple Web site blocking by fetching Web sites from their servers rather than from your computer. One useful low-bandwidth filter is at http://loband.org/.

Using Alternative Domain Servers or Names

Simply speaking, a DNS server translates a human-friendly Web address such as google.com into the IP address that identifies the specific server with that page on the Internet, such as 72.14.207.19. This service is most often provided by DNS servers maintained by your Internet Service Provider (ISP). Simple DNS blocking is implemented by giving an incorrect or invalid response to a DNS request.

You can potentially bypass this type of blocking with these techniques:

Alternate Domain Names

One of the most common ways to censor a Web site is to block access to its domain name, for example, "news.bbc.co.uk". However, sites are often accessible at other domain names, such as "newsrss.bbc.co.uk". If one domain name is blocked, try to see if the content is available at another domain.

Alternative DNS Servers

An extension of this technique is to bypass the Domain Name Servers of your local ISP, using third-party servers to reach domains that may be blocked by the ISP's servers. There are a number of free, internationally available DNS services that you can try. OpenDNS (https://www.opendns.com/) provides one such service and also maintains guides on how to change the DNS server that your computer uses (https://www.opendns.com/smb/start/computer/). There is also an updated list of available DNS servers from around the world at http://www.dnsserverlist.org/.

Using e-mail services

E-mail and Web-mail services can be used to share documents with groups of friends or colleagues, and even

to browse the Web.

Accessing web pages through e-mail

Similar to low-bandwidth filters, there are services intended for people with slow or unreliable Internet connections that let you request a Web page via e-mail. The service sends a reply e-mail that includes the requested Web page either in the body of the message or as an attachment. These services can be quite cumbersome to use, since they require you to send a separate request for one or more Web pages, and then wait for the reply, but, in certain situations, they can be very effective at reaching blocked Web pages, especially if you use them from a secure Web mail service.

One such service is pagegetter.com. To use it, send an e-mail, including one or more URLs in the subject or body of your message, to web@pagegetter.com. You automatically receive the full requested web page, complete with embedded graphics.

Web pages with frames will be sent in multiple e-mails, because many e-mail clients cannot display frames. (Frames are a way of showing multiple pages on a single screen.) But if your e-mail client supports frames (for example, Outlook Express) you can receive all frames in a single message. In this case, send the e-mail to frames@pagegetter.com.

To receive a text-only version of the requested page, write instead to text@pagegetter.com. This is especially useful for Personal Digital Assistants (PDAs), cell phones, and text-only e-mail systems. You can also send an e-mail to HTML@pagegetter.com to receive the full HTML page with no graphics.

A similar service is found at web2mail.com. To use it, send an e-mail message to www@web2mail.com with

the Web address (URL) of the Web page you want in the Subject line. You can also perform simple Web searches by typing searches into the Subject line. For example you can search for censorship circumvention tools by typing "search censorship circumvention tools" in the subject of an e-mail message and sending it to

You can find more information and support on this topic on the ACCMAIL mailing list. To subscribe, send an e-mail with "SUBSCRIBE ACCMAIL" in the body to listserv@listserv.aol.com.

Using Web mail to share documents

If you are trying to share documents online, but want to control who can see them, you can keep them in a private space where they are visible only to those with the correct password. A simple way to share documents among a small group of friends or colleagues is to use a single Web mail account with an online e-mail provider, such as Gmail (https://mail.google.com/), and to share the user name and password with those who need to access the documents. Since most Web mail providers are free, it is easy to switch to a new account at intervals, making it harder for anyone outside the group to keep track of what you are doing. A list of free online e-mail providers is located at www.emailaddresses.com/email_web.htm.

Advantages and Risks

These simple techniques are quick and easy to use; you can try them with minimal effort. Many of them will work at least some of the time in many situations. However, they are also easy to detect and block. Since they do not encrypt or otherwise hide your communications, they are also vulnerable to keyword-based blocking and monitoring.

What is a Web Proxy?

A Web proxy allows you to retrieve a Web site even when direct access to that site is blocked at your location. Typically, a Web proxy features a form where you submit the URL of a site that you want to view. The proxy then shows you the page, but prevents a direct connection between you and the requested Web site.

a direct connection between you and the requested Web site. When using a Web proxy, you

When using a Web proxy, you do not have to install software or change settings on your computer. Instead, you go to the URL of the Web proxy, then enter the URL you wish to visit, and click the "submit" button (or equivalent). A Web proxy can be used from any computer, including those in Internet cafés.

Examples of free Web proxies include CGIProxy, PHProxy and Zelune. All of them provide the same basic functionality, but some are better at providing certain functions, such as access to videos. These and other Web proxy programs, like Glype, Psiphon, Picidae and bblocked, are software programs that may be run on many different computers.

You can find lists of Web proxies on sites like http://www.proxy.org/, by joining the mailing list at http://www.peacefire.org/circumventor/, or just by searching for "free Web proxy" in any search engine.

(If you are in a country with unrestricted Internet access and you are willing to help others get around censorship, you can install a Web proxy script on your own Web site or on your home computer.)

Proxy.org lists literally thousands of free Web proxies:

Proxy.org lists literally thousands of free Web proxies: There are also private Web proxies. These are

There are also private Web proxies. These are usually known only to a small group of contacts of the individual running the proxy. They may be useful in special circumstances, when you need to be sure to be able to access specific types of content or need the privacy offered by a proxy operated by someone you trust.

Advantages and Risks

Web proxies are easy to use -- you don't need to install any software, you can use a public Web proxy even if you don't have a trusted contact in an unfiltered location. Private Web proxies can be customized to meet the specific needs of users and are less likely to be discovered and blocked by any filtering authorities.

But Web proxies have potential disadvantages. They often allow only Web traffic (HTTP), so they can't be used for other services such as e-mail or instant messaging. Many cannot use multimedia (such as YouTube) or be used with encryption (SSL). Web services that require authentication (such as Web-based e-mail) may not be fully functional through Web proxies or may make you vulnerable to having your passwords or other information monitored or stolen.

Web proxies also can be blocked or intercepted. The addresses of public Web proxies are generally well known and access to them may be blocked. Private Web proxies require that a user have a contact in an unfiltered location. Unencrypted communications with Web proxies can be intercepted by network operators, thus keyword filtering may still work against unencrypted Web proxies.

Web proxy users also need to keep in mind that the operators of their Web proxies can read their communications and record the IP address from which the Web proxy was used. If that information would put you at risk, you should consider your choice of proxy carefully.

Using PHProxy

PHProxy is a free Web proxy that provides access to Web sites that would otherwise be blocked.

PHProxy was written in the PHP programming language, originally by someone using the name Abdullah Arif, who stopped working on the project in 2007. Nonetheless, it remains functional and useful and many people have used it to set up their own public Web proxies.

Where can I access PHProxy?

You can find a public PHProxy service by searching for "PHProxy" in any search engine, but someone you know who has space on a Web server with unrestricted Internet access can also set up a custom PHProxy service for you.

(If you have space on a Web server with unrestricted Internet access, you can set up a PHProxy service yourself for use by people whose access is restricted. To do so, you can download the PHProxy script at http://sourceforge.net/projects/poxy/.)

How does it work?

Here's an example that illustrates how PHProxy works:

1. Enter the address of the PHProxy service, for example http://www.cship.info/poxy/ , in your Web browser.

2. In the "Web Address" box on the PHProxy page, enter the address of the Web site you want to visit, for example, http://www.google.com. You can keep the default options.

3. Click "Go" or press Enter.

the default options. 3. Click "Go" or press Enter. The Web site you wanted to visit

The Web site you wanted to visit is displayed in the browser window.

To continue browsing, you can either: • Click any link. The Web proxy is automatically

To continue browsing, you can either:

Click any link. The Web proxy is automatically used to retrieve linked pages.

Enter a new URL in the "Address" box at the top of the page.

Advanced options

Usually, you can keep the default options to browse. However you can choose between several advanced options:

Include mini URL-form on every page: Check this option if you want to have a form on the proxified Web sites so you can enter new URLs without going back to the startpage of the PHProxy. If you only have a small screen you may want to de-select this option so you have more space for the target Web page.

Remove client-side scripting (i.e., JavaScript): JavaScript is a technology required by some modern Web sites (like Web mail services). Sometimes JavaScript can be unwanted because it is also used to deliver advertisements or even to discover your identity.

Allow cookies to be stored: Cookies are little text files with a distinct user ID which are normally automatically stored by your browser. They are required for some websites which need authentication but can be used to track your identity. With this option turned on every cookie is stored for a long time. If you want to allow cookies for this session only, de-select this option and select "Store cookies for this session only" (see below).

Show images on browsed pages: If you are on a slow Internet connection, you can de-select this option so the Web sites load faster.

Show actual referring Website: By default your browser sends every website the URL you are coming from. For example if you search on Google for "Internet censorship wiki" the results page will be http://www.google.com/search?q=internet+censorship+wiki. When you then click on the link http://en.cship.org/wiki/ from the results that website will get the Google link which can be stored in logfiles and analysed automatically. For better anonymity you can de-select this option. Some websites may not work if this option is de-selected.

Use ROT13/base64 encoding: This option will change the way the URL of the Web site you want to visit is transfered. For example, the URL http://en.cship.org/wiki/ will be uggc://ra.pfuvc.bet/jvxv/ in ROT13 and aHR0cDovL2VuLmNzaGlwLm9yZy93aWtpL01haW5fUGFnZQ in base64. Both encoding techniques are well known, so they can not be considered as encryption at all. Still, they can be used to confuse simple keyword filters. If you use SSL encryption (the URL of the PHProxy starts with https) this encoding would be redundant, since the connection is already encrypted properly and hidden from filters.

Strip meta information tags from pages: Meta tags are additional information stored in many websites to be used automatically by computer programs. Such information may include name of the author, description of the site content or keywords for search engines. You may check this option to avoid presenting this information to keyword filters.

Strip page title: With this option turned on, PHProxy deletes the page title of the website, which you normally see in the title bar on top of your browser. This can be useful, for example, to hide the name of the Web site you are visiting when you minimize your browser.

Store cookies for this session only: Similar to the "Allow cookies to be stored" option. With this option turned on, your cookies are only stored until you close your PHProxy session.

Using psiphon

psiphon is a Web proxy designed to be used between people who have pre-existing private, trusted relationships (such as friends and family). A person in an unrestricted location provides a psiphon proxy service to a person they know in a location where access is limited. It is not intended to be a public, open proxy service.

If you want to use psiphon to bypass Internet restrictions, you first need to find someone in a location with no Internet restrictions who is willing to provide a psiphon node for you. There is an official psiphon forum at http://psiphon.civisec.org/forum/ where psiphon users share information about available psiphon nodes. You may be able to find a trustworthy person through that forum, but note that the person whose psiphon node you use will have access to all of your Internet activity, including passwords and other private data.

(If you have a server or Web space in a location with no Internet restrictions, you can install psiphon for other people to use. Visit http://psiphon.ca/download.php for more information.)

Connecting to a psiphon Proxy

When you have established contact with the owner of a psiphon node, that person will send you information that may look like this:

URL: https://86.103.195.150:443/cship/ Username: cship Password: cship

To use the psiphon proxy, enter the URL you receive into your Web browser and then sign in with the appropriate account information.

Adding an SSL Exception

The first time that you connect to a psiphon URL, your Web browser might show an error message about a non-valid SSL certificate, as shown below. This happens because you are using an SSL connection (indicated by "https:" in the URL), and SSL connections are normally supposed to be secured with official SSL certificates to authenticate the server. Official SSL certificates cost money, so the owner of the psiphon node might not have one (so far, most psiphon nodes don't have them). Ignoring this error message may pose a risk to your privacy because a clever network operator could pretend to be the psiphon server. If you are concerned primarily with access and not privacy, ignoring this error could be appropriate.

If you choose to proceed, you can add an exception rule in your browser so that you will not see it every time you connect. In this example, the exception is added to the Firefox 3 browser:

• Click the "Or you can add an exception" link at the bottom of the

Click the "Or you can add an exception" link at the bottom of the page. The browser displays more information and buttons.

the page. The browser displays more information and buttons. • Click "Add Exception". The browser opens

Click "Add Exception". The browser opens a dialog box, with the URL you originally entered in the Location box:

with the URL you originally entered in the Location box: • Click "Get Certificate". More information

Click "Get Certificate". More information appears in the dialog box.

More information appears in the dialog box. • Click "Confirm Security Exception." If

Click "Confirm Security Exception."

If you're concerned about privacy

Adding a security exception or ignoring the security warning, as described above, creates some risk for privacy because a clever eavesdropper who controls part of your network connection could try to trick you by pretending to be a psiphon server. The severity of this risk depends on how likely it is that someone will try to intercept your communications in this way. In some environments, ignoring the security warning once may not be a substantial risk. (If the first connection wasn't tampered with, subsequent connections will be safe

because Firefox remembers the identity of the site you communicated with.) If you're concerned primarily with circumvention and not with privacy, this concern may not be relevant to you.

If you're specifically concerned about privacy and preventing eavesdropping, there are safer ways to verify a site's identity before adding a security exception. One way that may work with Firefox is to use the Perspectives software from Carnegie Mellon University (http://www.cs.cmu.edu/~perspectives/). Perspectives confirms that a psiphon site, or other Web site without an official security certificate, looks the same to you as it does to several other servers.

Logging in to the Proxy

When you see the login page, enter the username and password you got from your contact (in this example both are "cship"). Make sure that the URL starts with "https" so that you are using the psiphon node over a secure encrypted connection.

using the psiphon node over a secure encrypted connection. Browsing via the Proxy After you login,

Browsing via the Proxy

After you login, you will see a psiphon start page.

Enter the URL for the Web site you want to visit (in this example, http://en.cship.org/wiki/), in the box at the top of the page (under the address box for the browser itself).

Click the arrow button on the screen or press the Enter key on your keyboard.

Click the arrow button on the screen or press the Enter key on your keyboard. The browser displays the Web site whose URL you entered, with the psiphon address box at the top.

To continue browsing you can either:

Click any link. The Web proxy is automatically used to retrieve linked pages.

Enter a new URL in the psiphon address box at the top of the page (not the browser's address box).

the top of the page ( not the browser's address box). Keep in mind that the

Keep in mind that the owner of the psiphon node can monitor and log every Web site and even every password you transfer over that node. In fact, psiphon normally displays a list of the URLs being viewed to the psiphonode operator. That is why it is important that your contact is someone you trust.

Using psiphon 2

psiphon2 is a special kind of webproxy which works unlike other webproxies (like CGIProxy or PHProxy) with an authentication. To use psiphon2 you need the URL (address) and a account (username and password). This makes the use a little more difficult, but adds a lot of security.

How to get a psiphon2 account

To prevent and monitor the blocking of a psiphon2 node we work with a "web of trust", so you need an invitation from a user who already has a psiphon2 account.

Use an invitation link to register

Once you got an invitation link like "https://85.31.189.76/w.php?p=384BC" access that website with your favorite web browser (for example Firefox or Internet Explorer).

Accept the SSL error message

When you access the website for the first time you will see an error message because of the invalid SSL certificate. SSL certificates are used to guarantee the identity of a server. A SSL certificate signed by a large Certificate authority costs a lot of money, so it would be too expensive to buy such a certificate for every psiphon2 node. Nevertheless the connection is completely encrypted and you can safely confirm the error message.

SSL-Error with Internet Explorer 6

If you use Internet Explorer 6, the error message will look like this:

Internet Explorer 6, the error message will look like this: Please confirm the message with a

Please confirm the message with a click on "Yes".

SSL-Error with Internet Explorer 7

If you use Internet Explorer 7, the error message will look like this:

Please confirm it with a click on "Continue to this website (not recommended)." SSL-Error with

Please confirm it with a click on "Continue to this website (not recommended)."

SSL-Error with Firefox 3

If you use the Firefox 3 browser it is a little more complicated:

use the Firefox 3 browser it is a little more complicated: First click on "Or you

First click on "Or you can add an exception

"

Then on "Add Exception " Afterwards on "Get Certificate" SSL-Error with Firefox 3 34

Then on "Add Exception

"

Then on "Add Exception " Afterwards on "Get Certificate" SSL-Error with Firefox 3 34

Afterwards on "Get Certificate"

And finally "Confirm Security Exception". Create your own account Once you confirmed the security warning

And finally "Confirm Security Exception".

Create your own account

Once you confirmed the security warning you will see a simple registration form:

security warning you will see a simple registration form: Choose a language, leave the Invitation code

Choose a language, leave the Invitation code as is and enter your email-address, a nick name and a password (two times the same). The email address will be used to send you a new psiphon2 node when this one gets blocked. We will never send spam to that address. The email-address and password you choose will be necessary to log in to the psiphon2 node later, so you have to remember them.

After a click on "Login" you will see a message confirming the successful creation of

After a click on "Login" you will see a message confirming the successful creation of your account:

on "Login" you will see a message confirming the successful creation of your account: Create your

Use the psiphon2 node

To use the psiphon2 node you don't need the invitation link again, just remember (for example make a bookmark) the link displayed at the end of your registration, for example "https://85.31.189.76/001/". Access that URL with your browser (for example Internet Explorer or Firefox)

with your browser (for example Internet Explorer or Firefox) Now enter the email address and the

Now enter the email address and the password you used to register your psiphon2 account. You can also choose another language:

your psiphon2 account. You can also choose another language: After the lo g in y ou

After the login you will see a white page with a small form on top. Enter the website you want to visit in that form, like "https://www.sesawe.net/" and click on "GO".

to visit in that form, like "https://www.sesawe.net/" and click on "GO". Use the psiphon2 node 37

Now the website you want to visit will load and you can continue to surf the Internet freely. All the links on the website will be automatically rewritten so that they go through the psiphon2 node.

rewritten so that they go through the psiphon2 node. Invite others Maybe you want to help

Invite others

Maybe you want to help your friends or family members to access websites freely with psiphon2.

To be able to invite other people your have to be a "Power user". To get that status, ask the user who invited you to grant it. You can see if you have a "Power user" account by looking in your Profile (log in to psiphon2 and click on "Profile"). If you see the links "Invite a user" and "Send invitations" in the menu on the left it means that you have "Power user" status.

There are two ways to invite other people:

Invite a user

Click on "Invite a user" in your psiphon2 profile page to generate a invitation code/link that you can communicate for example by normal email, instant messengers or telephone. First, choose the psiphon2 node for which you want so send an invitation for. It is very likely that you only have one node in the dropdown menu, so leave the default option. After a click on "Invite" you see a newly generated "Invitation link" you can send to your friends. If they have problems using it they can also try to use the "Invitation URL" and the "Invitation Code" manually.

Send invitations Click on "Send invitations" in your psiphon2 profile to send one or more

Send invitations

Click on "Send invitations" in your psiphon2 profile to send one or more invitation links automatically through the psiphon2 node. The advantage of this method is that you stay anonymous, the receiver of the email invitation doesn't know who sent him the invitation. First, choose the psiphon2 node for which you want so send an invitation for. It is very likely that you only have one node in the dropdown menu, so leave the default option. Then, enter a subject for the email the node will send. This can be something related like "Invitation to psiphon2" or something harmless and completely unrelated like "Praise the king!!". Then enter the email addresses which you want to receive an invitation. You can enter just one email address or many, one address per line. After a click on "Invite" you get the message "1 invitations queued" which means that the node sends out the emails in the next minutes.

Report a blocked website Some website that use complicated technologies like streaming Video or AJAX

Report a blocked website

Some website that use complicated technologies like streaming Video or AJAX may not work with psiphon2 out of the box. To fix it our developers have to know which websites are not working. If you find such a website you can report it easily by clicking on the "Broken Page" link close to the "GO" button of the top form:

link close to the "GO" button of the top form: On the next website you can

On the next website you can enter some additional information in the "Description" field to make it easier for the developers to reproduce the error and fix it. With a click on "Submit" you send the message to our

developers.

developers. Use Psimail Send messages With psiphon2 it is possible to send internal messages to other

Use Psimail

Send messages

With psiphon2 it is possible to send internal messages to other psiphon2 users. To write a message enter in your psiphon2 profile and click on "Compose". In the first form enter the nickname of the user you want to send a message to. You can also enter the email address the other user used to register as psiphon2. Please note that it is not possible to send messages to normal email addresses which are not registered at psiphon2. Write your message in the textbox and click on "Send". You will then get the message "Message was sent".

Read Messages To see if you received a new messages enter your psiphon2 profile. If

Read Messages

To see if you received a new messages enter your psiphon2 profile. If you see a bold "Inbox (1)" in the menu on the left, you have new messages. The number in brackets stands for the number of new messages. After a click on the link you can read the messages:

After a click on the link you can read the messages: You can check one or

You can check one or more messages and select one of the possible options: "Mark as Read", "Mark as Unread" or "Delete".

More resources

Psiphon2 FAQ at sesawe.net: https://www.sesawe.net/Psiphon-FAQ.html

Web Proxy Risks

You should be aware of some of the risks associated with the use of Web proxies, especially those maintained by people or organizations you do not know. If you use a proxy to view a public Web site like npr.org, your only risk is that someone will know you were reading the news there (and using a proxy to do it). However, if you use a proxy to send private communications or to reach applications like Web mail, online banking or shopping, there is a risk that other people could access and misuse your information, including your private passwords, especially if those services don't use encryption or if the proxy prevents you from using that encryption.

Lack of Privacy

Systems to circumvent filtering or blocking do not necessarily provide anonymity (even those that may include words like "anonymizer" in their names!). If the link between you and the Web proxy is unencrypted (HTTP as opposed to HTTPS), as with many free Web proxy services, either the operator of the proxy or an intermediary such as an Internet Service Provider (ISP) can intercept and analyze the content. In that case, although circumvention may be successful, network operators can still track the fact that you have used a Web proxy and can determine the content and Web sites you visited.

A Web proxy that does not encrypt your connection sometimes uses other methods to avoid Internet filtering.

For example, one simple technique is called ROT-13, in which the current letter of a URL is replaced by the one that is thirteen characters ahead of it in the standard Latin alphabet. (You can try it yourself at http://www.rot13.com/) Using ROT-13, the URL http://ice.citizenlab.org becomes uggc://vpr.pvgvmrayno.bet

-- making it unrecognizable to a keyword filter. This may help you in reaching your Web destination, but has

its weaknesses: the content of the session can still be detected and such measures can easily be reversed.

still be detected and such measures can easily be reversed. Advertising, viruses and malware Some of

Advertising, viruses and malware

Some of the people who set up Web proxies do it to make money. This may be done simply and openly by

selling advertisements on the pages. More maliciously, some proxy operators may try to infect the computers

of those using their proxies with malware, or malicious software. These so-called "drive-by-downloads" can

hijack your computer for spamming or other commercial or even illegal purposes.

The most important things you can do to protect against viruses is to keep all of your software -- including your operating system -- updated and to use an up-to-date antivirus scanner. You can also block ads by using the AdBlockPlus Extension for the Firefox Browser (http://www.adblockplus.org/). More information on avoiding these risks can be found at the StopBadware Web site (http://www.stopbadware.org/).

The operator of ATunnel.com supports the free service by selling advertisements (in this example for razors). This is a typical example of an ad-supported proxy server.

Cookies and scripts There are also risks concerning the use of cookies and scripts. Many

Cookies and scripts

There are also risks concerning the use of cookies and scripts. Many Web proxies can be configured to remove cookies and scripts, but many sites (for example, social networking sites like MySpace) require the use of cookies and scripts. Be careful when enabling these options, because the cookies may be saved on your computer even after you restart it, and so could provide evidence of which sites you visited. One option is to allow selective use of Cookies. In Firefox 3, for instance, you can instruct the browser to accept cookies only "Until I close Firefox". (Similarly, you can instruct your browser to erase your browsing history when you close it.)

Some sites and advertisers can use these mechanisms to track you even when you use proxies. If you are trying to be anonymous, this can be a problem because this tracking can produce evidence, for example, that the person who did one thing openly is the same person who did another thing anonymously.

The proxy operator can see everything

Even though your connection to the Web-based circumventor may be secure (encrypted), the owner of the proxy will have access to the content of your communications after decrypting them. An additional security concern is the records (log files) that the proxy provider may keep. Depending on the circumventor's location, or the location of their server, authorities may have access to those log files.

Advanced Background

There can be many reasons why simple techniques for accessing blocked content, such as using cached versions of pages from a search engine, or using a simple Web proxy, are inadequate.

In some cases, these simple techniques aren't enough to get around the blocking. In others, the restrictions may affect services beyond simple Web browsing -- such as instant messaging, e-mail or video streaming. In that case, Web proxies probably won't solve your problem.

There may be cases when you want to bypass Internet blocking, but also want to prevent the organization doing the blocking from knowing what pages you are accessing, or prevent them from knowing you are even bypassing filters in the first place.

In these scenarios, there are many more advanced techniques available, and each of them solves different problems in different ways.

This chapter introduces some key technical concepts that will help you make an informed choice about which solution is applicable in a given situation. It also covers, in some detail, many of the different ways access to information may be blocked.

Ports and Protocols

The Internet is based on a series of protocols, standardized sets of rules that govern how the networks of computers communicate. The principal set of protocols for managing connections and message packets for the Internet is TCP/IP (TCP over IP). Protocols can handle a wide range of data, with software to break long transmissions into smaller, numbered packets for transmission, and reassemble the data segments on the receiving end. The most common way to specify which protocol to use is to address packets to a specific port number. For example, HTTP for the Web normally uses port 80, and POP3 for receiving e-mail normally uses port 110. Blocking traffic to a particular port at a particular IP address disables normal access to one service at that site, while leaving the rest of the services available. The simplest way to circumvent a blocked port is to provide the service on a non-standard port, but this can only be done by the operator of the service, not by the user.

The layered networking model

Network protocols are often described as existing in a set of layers. For the Internet, the bottom layer (called the Link Layer) is closest to the hardware, and the highest (called the Application Layer) is closest to the human user. The critical protocols in the middle two layers are TCP (Transmission Control Protocol), which is in the Transport Layer, and IP (Internet Protocol), which is "below" it in the Internet Layer. The two together are commonly referred to as TCP/IP. Less well known but also important is UDP (User Datagram Protocol), which is at the same level as TCP. Many, but not all services offered over TCP are also available over UDP, while some services are on UDP only.

The top level, called the Application Layer, includes protocols such as DNS (for domain names), FTP (file transfers), HTTP (Web), IRC (chat), NNTP (Usenet), POP3 (retrieving e-mail), SIP (Voice-over-IP), and SSH (encrypted communications). IANA (Internet Assigned Names Authority) assigns port numbers for each of these application services, such as port 53 for DNS lookup queries, 80 for HTTP, and 110 for POP3 (Post Office Protocol 3). These assignments are defaults, for convenience, and using them is not generally a technical requirement of the protocols; in fact, any sort of data could be sent over any port. There are also numerous default port assignments for UDP that operate in the same way. In some, but by no means all, cases, a service can be accessed on the same port using either TCP or UDP. One exception is NTP (Network Time Protocol), which is one that is provided only on UDP. UDP is also commonly used for real-time multimedia applications such as Voice over IP (VoIP) protocols, some of which are not available over TCP.

Users are normally not concerned with port assignments, which are handled automatically in the default cases. Use of the standard ports is not mandatory, however. By prior arrangement between service providers and users, system administrators can set up servers for access to standard services at non-standard port numbers. This allows software to circumvent simple port blocks intended to prevent use of these services.

Some software can be configured to use a non-standard port number. URLs also have a particularly convenient standard way of specifying a port number inside the URL. For example, the URL http://www.example.com:8000/foo/would make an HTTP request to example.com on port 8000, rather than the default http port 80.

Advanced Filtering Techniques

[Adapted from "Access Denied", Chapter 3, by Steven J. Murdoch and Ross Anderson]

The goals of deploying a filtering mechanism vary depending on the motivations of the organization deploying them. They may be to make a particular Web site (or individual Web page) inaccessible to those who wish to view it, to make it unreliable, or to deter users from even attempting to access it in the first place. The choice of mechanism will also depend upon the capability of the organization that requests the filteringâ where they have access to, the people against whom they can enforce their wishes, and how much they are willing to spend. Other considerations include the number of acceptable errors, whether the filtering should be overt or covert, and how reliable it is (both against casual users and those who wish to bypass it).

In this section we will describe how particular content can be blocked once the list of resources to be blocked is established. Building this list is a considerable challenge and a common weakness in deployed systems. Not only does the huge number of Web sites make building a comprehensive list of prohibited content difficult, but as content moves and Web sites change their IP addresses, keeping this list up-to-date requires a lot of effort. Moreover, if the operator of a site wishes to interfere with the blocking, the site could be moved more rapidly than it would be otherwise.

TCP/IP Header Filtering

An IP packet consists of a header followed by the data the packet carries (the payload). Routers must inspect the packet header, as this is where the destination IP address is located. To prevent targeted hosts being accessed, routers can be configured to drop packets destined for IP addresses on a blacklist. However, each host may provide multiple services, such as hosting both Web sites and e-mail servers. Blocking based solely on IP addresses will make all services on each blacklisted host inaccessible.

Slightly more precise blocking can be achieved by additionally blacklisting the port number, which is also in the TCP/IP header. It is very common for many completely different web-sites to be hosted on the same IP-number, on the same port number, 80.

Port Blocking

Access to ports may be controlled by the network administrator of the organization that hosts the computer you're using -- whether a private company or an Internet café, by the ISP that is providing Internet access, or by someone else such as a government censor who has access to the connections that are available to the ISP. There are many reasons other than censorship that ports may be blocked -- to reduce spam, or to control costs associated with high-bandwidth uses such as peer-to-peer filesharing.

If a port is blocked, all traffic on this port becomes inaccessible to you. Censors often block the ports 1080, 3128, and 8080 because these are the most common proxy ports. If this is the case, you have to find proxies that are listening on an uncommon port. These can be difficult to find.

You can test which ports are blocked on your connection using Telnet. Just open a command line (terminal or DOS prompt), type "telnet login.icq.com 5555" or "telnet login.oscar.aol.com 5555" and press Enter. The number is the port you want to test. If you get some strange symbols in return, the connection succeeded.

some strange symbols in return, the connection succeeded. If, on the other hand, the computer immediately

If, on the other hand, the computer immediately reports that the connection failed, timed out, or was interrupted, disconnected, or reset, that port is probably being blocked. (Keep in mind that some ports could be blocked only in conjunction with certain IP addresses.)

Some of the most commonly used ports are:

20 and 21 - FTP (file transfer)

22 - SSH (secure shell remote access)

23 - Telnet (unsecure remote access)

25 - SMTP (send email)

53 - DNS (resolves a computer's name to an IP address)

80 - HTTP (normal web browsing; also sometimes used for a proxy)

110 - POP3 (receive email)

143 - IMAP (send/receive email)

443 - SSL (secure HTTPS connections)

993 - secure IMAP

995 - secure POP3

1080 - SOCKS proxy

1194 - OpenVPN

3128 - Squid proxy

3389 - Remote Desktop

8080 - Standard HTTP-style proxy

For example, in one university, only the ports 22 (SSH), 110 (POP3), 143 (IMAP), 993 (secure IMAP), 995 (secure POP3) and 5190 (ICQ instant messaging) may be open for external connections. This means that you would need to find a proxy server or VPN server running on one of these ports, or convince a friend or contact outside the university to set up a server on such a port. The ability to run servers on ports others than those they normally run on is what makes several circumvention techniques possible in the first place.

TCP/IP Content Filtering

TCP/IP header filtering can only block communication on the basis of where packets are going to or coming from, not what they contain. This can be a problem for the censor if it is impossible to establish the full list of IP addresses containing prohibited content, or if some IP address contains enough non-infringing content to make it seem unjustifiable to totally block all communication with it. There is a finer-grained control possible:

the content of packets can be inspected for banned keywords. As routers do not normally examine packet content but just packet headers, extra equipment may be needed. Typical hardware may be unable to react fast enough to block the infringing packets, so other means to block the information must be used instead. As packets have a maximum size, the full content of the communication will likely be split over multiple packets. Thus while the offending packet will get through, the communication can be disrupted by blocking subsequent packets. This may be achieved by blocking the packets directly or by sending a message to both of the communicating parties requesting they terminate the conversation. Another effect of the maximum packet size is that keywords may be split over packet boundaries. Devices that inspect each packet individually may then fail to identify infringing keywords. For packet inspection to be fully effective, the stream must be reassembled, which adds additional complexity. Alternatively, an HTTP proxy filter can be used, as described later.

DNS Tampering

Most Internet communication uses domain names rather than IP addresses, particularly for Web browsing. Thus, if the domain name resolution stage can be filtered, access to infringing sites can be effectively blocked. With this strategy, the DNS server accessed by users is given a list of banned domain names. When a computer requests the corresponding IP address for one of these domain names, an erroneous (or no) answer is given. Without the IP address, the requesting computer cannot continue and will display an error message.

Note that at the stage the blocking is performed, the user has not yet requested a page, which is why all pages under a domain name will be blocked.

HTTP Proxy Filtering

An alternative way of configuring a network is to not allow users to connect directly to Web sites but force (or just encourage) all users to access those sites via a proxy server. In addition to relaying requests, the proxy server may temporarily store the Web page in a cache. The advantage of this approach is that if a second user of the same ISP requests the same page, it will be returned directly from the cache, rather than connecting to the actual Web server a second time. From the userâ s perspective this is better since the Web page will appear faster, as they never have to connect outside their own ISP. It is also better for the ISP, as connecting to the Web server will consume (expensive) bandwidth, and rather than having to transfer pages from a popular site hundreds of times, they need only do this once.

However, as well as improving performance, an HTTP proxy can also block Web sites. The proxy decides whether requests for Web pages should be permitted, and if so, sends the request to the Web server hosting the requested content. Since the full content of the request is available, individual Web pages can be filtered, based on both page names and the actual content of the page.

Hybrid TCP/IP and HTTP Proxy

As the requests intercepted by an HTTP proxy must be reassembled from the original packets, decoded, and then retransmitted, the hardware required to keep up with a fast Internet connection is very expensive. So systems exist that provide the versatility of HTTP proxy filtering at a lower cost. They operate by building a list of the IP addresses of sites hosting prohibited content, but rather than blocking data flowing to these servers, the traffic is redirected to a transparent HTTP proxy. There, the full Web address is inspected and if it refers to banned content, it is blocked; otherwise the request is passed on as normal.

Denial of Service

Where the organization deploying the filtering does not have the authority (or access to the network infrastructure) to add conventional blocking mechanisms, Web sites can be made inaccessible by overloading the server or network connection. This technique, known as a Denial-of-Service (DoS) attack, could be

mounted by one computer with a very fast network connection; more commonly, a large number of computers are taken over and used to mount a distributed DoS (DDoS).

Domain Deregistration

As mentioned earlier, the first stage of a Web request is to contact the local DNS server to find the IP address of the desired location. Storing all domain names in existence would be infeasible, so instead so-called recursive resolvers store pointers to other DNS servers that are more likely to know the answer. These servers will direct the recursive resolver to further DNS servers until one, the "authoritative" server, can return the answer.

The domain name system is organized hierarchically, with country domains such as ".uk" and ".de" at the top, along with the nongeographic top-level domains such as ".org" and ".com". The servers responsible for these domains delegate responsibility for subdomains, such as example.com, to other DNS servers, directing requests for these domains there. Thus, if the DNS server for a top-level domain deregisters a domain name, recursive resolvers will be unable to discover the IP address and so make the site inaccessible.

Country-specific top-level domains are usually operated by the government of the country in question, or by an organization appointed by it. So if a site is registered under the domain of a country that prohibits the hosted content, it runs the risk of being deregistered.

Server Takedown

Servers hosting content must be physically located somewhere, as must the administrators who operate them. If these locations are under the legal or extra-legal control of someone who objects to the content hosted, the server can be disconnected or the operators can be required to disable it.

Surveillance

The above mechanisms inhibit the access to banned material, but are both crude and possible to circumvent. Another approach, which may be applied in parallel to filtering, is to monitor which Web sites are being visited. If prohibited content is accessed (or attempted to be accessed) then legal (or extra-legal) measures could be deployed as punishment.

If this fact is widely publicized, it could discourage others from attempting to access banned content, even if the technical measures for preventing access are inadequate by themselves.

Cryptography

Cryptography is -- among other applications -- a technical defense against surveillance that uses sophisticated mathematical techniques to scramble communications, making them unintelligible to an eavesdropper. Cryptography can also prevent a network operator from modifying communications, or at least make such modifications detectable.

Modern cryptography is thought to be extremely difficult to defeat by technical means; widely available cryptographic software can give users very powerful privacy protection against eavesdropping. On the other hand, encryption can be circumvented by several means, including targeted malware, or in general through key-management and key-exchange problems, when users cannot or do not follow the procedures necessary to use cryptography securely. For example, cryptographic applications usually need a way to verify the identity of the person or computer at the other end of a network connection; otherwise, the communication could be vulnerable to a man-in-the-middle attack where an eavesdropper impersonates one's communication partner in order to intercept supposedly private communications. This identity verification is handled in different ways by different software, but skipping or bypassing the verification step can increase one's vulnerability to surveillance.

Another surveillance technique is traffic analysis, where facts about a communication are used to infer something about the content, origin, destination, or meaning of the communication even if an eavesdropper is unable to understand the contents of the communication. Traffic analysis can be a very powerful technique and is very difficult to defend against; it is of particular concern for anonymity systems, where traffic analysis techniques might help identify an anonymous party. Advanced anonymity systems like Tor contain some measures intended to reduce the effectiveness of traffic analysis, but might still be vulnerable to it depending on the capabilities of the eavesdropper.

Social Techniques

Social mechanisms are often used to discourage users from accessing inappropriate content. For example, families may place the PC in the living room where the screen is visible to all present, rather than somewhere more private, as a low-key way of discouraging children from accessing unsuitable sites. A library may well situate PCs so that their screens are all visible from the librarianâ s desk. An Internet café may have a CCTV surveillance camera. There might be a local law requiring such cameras, and also requiring that users register with government-issue photo ID. There is a spectrum of available control, ranging from what many would find sensible to what many would find objectionable.

What Is A HTTP Proxy?

Software called an application proxy enables one computer on the Internet to process requests from another computer. The most common kinds of application proxies are HTTP proxies, which handle requests for Web sites, and SOCKS proxies, which handle connection requests from a wide variety of applications. In this chapter we will look at HTTP proxies and how they work.

Good proxies and bad proxies

Application proxies can be used by network operators to censor the Internet or to monitor and control what users do. However, application proxies are also a tool for users to get around censorship and other network restrictions.

Proxies that restrict access

A network operator may require users to access the Internet (or at least Web pages) only through a certain

proxy. The network operator can program this proxy to keep records of what users access and also deny access to certain sites or services (IP blocking or port blocking). In this case, the network operator may use a firewall to block connections that do not go through the restrictive proxy. This configuration is sometimes called a forced proxy, because users are required to use it.

Proxies for circumvention

However, an application proxy can also be helpful for circumventing restrictions. If you can communicate with a computer in an unrestricted location that is running an application proxy, you can benefit from its unrestricted connectivity. Sometimes a proxy is available for the public to use; in that case, it's called an open proxy. Many open proxies are blocked in Internet-restricting countries if the people administering the network restrictions know about them.

Where to find an application proxy

There are many Web sites with lists of open application proxies. An overview of such Web sites is available at http://www.dmoz.org/Computers/Internet/Proxying_and_Filtering/Hosted_Proxy_Services/Free/Proxy_Lists/.

Please note that many open application proxies only exist for a few hours, so it is important to get a proxy from a list which was very recently updated.

HTTP Proxy settings

To use an application proxy, you must configure the proxy settings for your operating system or within

individual applications. Once you have selected a proxy in an application's proxy settings, the application tries

to use that proxy for all of its Internet access. Be sure you make note of the original settings so that you can

restore them. If the proxy becomes unavailable or unreachable for some reason, the software that is set to use

it generally stops working. In that case, you may need to reset to the original settings.

On Mac OS X and some Linux systems, these settings can be configured in the operating system, and will automatically be applied to applications such as the web browser or instant messaging applications. On Windows and some Linux systems, there is no central place to configure proxy settings, and each application must be configured locally. Bear in mind, that even if the proxy settings are configured centrally there is no guarantee that applications will support these settings, so it is always a good idea to check the settings of each individual application.

Typically only Web browsers can directly use an HTTP proxy.

Typically only Web browsers can directly use an HTTP proxy. The steps below describe how to

The steps below describe how to configure either Microsoft Internet Explorer, Mozilla Firefox and the Free and Open Source Instant Messaging Client Pidgin to use a proxy. If you use Firefox for Web browsing, it may be simpler to use the SwitchProxy software; it is an alternative to the steps below. If you use Tor, it is safest to use the TorButton software (which is provided as part of the Tor Bundle download) to configure your browser to use Tor.

While e-mail clients such as Microsoft Outlook and Mozilla Thunderbird can also be configured to use HTTP proxies, actual mail traffic when sending and fetching mail, uses other protocols such as POP3, IMAP and SMTP, and this traffic will not pass through the HTTP proxy.

Mozilla Firefox

To configure Firefox to use an HTTP proxy:

1.

On the "Tools" menu, click "Options":

configure Firefox to use an HTTP proxy: 1. On the "Tools" menu, click "Options": HTTP Proxy

2.

3.

4.

5.

2. 3. 4. 5. The "Options" window appears: In the toolbar at the top of the

The "Options" window appears:

In the toolbar at the top of the window, click "Advanced":

Click the "Network" tab:

click "Advanced": Click the "Network" tab: Click "Settings". Firefox displays the

Click "Settings". Firefox displays the "Connection Settings"

window:

window: 6. Select "Manual proxy configuration". The fields below that option become available. 7. Enter the

6. Select "Manual proxy configuration". The fields below that option become

available.

The fields below that option become available. 7. Enter the "HTTP proxy" address and "Port"

7. Enter the "HTTP proxy" address and "Port" number, and then click "OK".

and "Port" number, and then click "OK". If you click the "Use this proxy server for

If you click the "Use this proxy server for all protocols", Firefox will attempt to send HTTPS (secure HTTP) and FTP traffic through the proxy. This may not work if you are using a public application proxy, since many of these do not support HTTPS and FTP traffic. If, on the other hand your HTTPS and/or FTP traffic is being blocked, you can try to find a public application proxy with HTTPS and/or FTP support, and use the "Use this proxy server for all protocols" setting in Firefox.

Now Firefox is configured to use an HTTP proxy.

Microsoft Internet Explorer

To configure Internet Explorer to use an HTTP proxy:

1. On the "Tools" menu, click "Internet Options":

the "Tools" menu, click "Internet Options": 2. Internet Explorer displays the "Internet Options"

2. Internet Explorer displays the "Internet Options"

2. Internet Explorer displays the "Internet Options" window: 3. Click the "Connections" tab. 4. Click

window:

3. Click the "Connections" tab.

Options" window: 3. Click the "Connections" tab. 4. Click "LAN Settings". The "Local Area Network

4. Click "LAN Settings". The "Local Area Network (LAN) Settings" window

appears.

appears. 5. Select "Use a proxy server for your LAN". 6. Click "Advanced". The "Proxy Settings"

5. Select "Use a proxy server for your LAN".

6. Click "Advanced". The "Proxy Settings" window

appears.

7. Enter the "Proxy address to use" and "Port" number in the first row of fields.

8. If you click the "Use the same proxy server for all protocols", Internet Explorer will attempt to send HTTPS (secure HTTP) and FTP traffic through the proxy. This may not work if you are using a public application proxy, since many of these do not support HTTPS and FTP traffic. If, on the other hand your HTTPS and/or FTP traffic is being blocked, you can try to find a public application proxy with HTTPS and/or FTP support, and use the "Use this proxy server for all protocols" setting in Internet Explorer.

Now Internet Explorer is configured to use an HTTP proxy.

Pidgin Instant Messaging Client

Some Internet applications other than Web browsers can also use a HTTP proxy to connect to the Internet, potentially bypassing blocking. Here is an example with the instant messaging software Pidgin.

1.

On the "Tools" menu, click "Preferences":

software Pidgin. 1. On the "Tools" menu, click "Preferences": Pidgin Instant Messaging Client 58

2.

3.

4.

2. 3. 4. Pidgin displays the "Preferences" window: Click the "Network" tab to display it. For

Pidgin displays the "Preferences" window:

Click the "Network" tab to display it.

For "Proxy type", select "HTTP". Additional fields appear under that option.

"HTTP". Additional fields appear under that option. Enter the "Host" address and "Port" number

Enter the "Host" address and "Port" number of your HTTP

proxy. 5. Click "Close". Pidgin is now configured to use the HTTP proxy. When you're

proxy. 5. Click "Close".

Pidgin is now configured to use the HTTP proxy.

When you're done with the proxy

When you are done using a proxy, particularly on a shared computer, return the settings you've changed to their previous values. Otherwise, those applications will continue to try to use the proxy. This could be a problem if you don't want people to know that you were using the proxy or if you were using a local proxy provided by a particular circumvention application that isn't running all the time.

Installing SwitchProxy

SwitchProxy can switch between multiple application proxy configurations on any computer using the Firefox Web browser. This means it can easily run on Windows, Linux or Mac OS X.

SwitchProxy allows you to activate and deactivate proxy connections from a simple menu. It can also switch through a series of proxies at an interval you specify. (The author of SwitchProxy refers to this feature as support for "Anonymous" proxies, but using this feature does not, by itself, guarantee your anonymity!)

To install SwitchProxy:

1. Go to the web page for the SwitchProxy add-on for FireFox:

FireFox: https://addons.mozilla.org/en-US/firefox/addon/125 2. Click "Add to Firefox". The installation process

2. Click "Add to Firefox". The installation process starts, and this window

The installation process starts, and this window appears: 3. If you click on this window, the

appears:

3. If you click on this window, the "Install" button (which is initially inactive) counts down from 5 to 1. Then the "Install" button becomes active.

4. Click "Install". The add-on downloads automatically and installs itself. The following window appears:

5. Click "Restart Firefox". A confirmation window appears: 6. Click "Restart". Firefox shuts down and

5. Click "Restart Firefox". A confirmation window appears:

"Restart Firefox". A confirmation window appears: 6. Click "Restart". Firefox shuts down and then

6. Click "Restart". Firefox shuts down and then re-opens.

After you install the SwitchProxy add-on, the Firefox Toolbar shows tools for SwitchProxy:

add-on, the Firefox Toolbar shows tools for SwitchProxy: The Firefox "Add-ons" window shows that SwitchProxy

The Firefox "Add-ons" window shows that SwitchProxy has been installed:

The list of Add-ons will vary from what is shown here. Scroll down until you

The list of Add-ons will vary from what is shown here. Scroll down until you see the SwitchProxy tool. If you click on "SwitchProxy Tool", you can access the Preference controls.

Congratulations! The SwitchProxy tool should now be installed. Now you need to learn how to configure and use it.

Using Switch Proxy

SwitchProxy lets you quickly change the proxy settings of your Firefox browser. You can do this in order to use a public proxy available to everyone, a specific private proxy to which you've arranged access, or a local proxy provided by a client application such as SSH. Usually, you will need to have a particular application proxy or list of application proxies that you want to use before using SwitchProxy; SwitchProxy mainly helps you use proxies, not find them. SwitchProxy also supports loading a list of several proxies and switching frequently among them.

SwitchProxy configuration

To configure SwitchProxy, you need to open its configuration window, accessed through the Firefox "Tools" menu:

window, accessed through the Firefox "Tools" menu: Choose "Add-ons". You should see "SwitchProxy

Choose "Add-ons". You should see "SwitchProxy Tool" listed in the Add-ons menu. Click the link once to reveal the "Preferences" button:

the link once to reveal the "Preferences" button: Click the "Preferences" button to display the panel

Click the "Preferences" button to display the panel for setting a simple set of preferences:

The items in the General section relate only to where SwitchProxy information will be displayed

The items in the General section relate only to where SwitchProxy information will be displayed in the Browser.

The second section (When I switch proxies) is more important, as this determines how SwitchProxy will behave. When you switch proxies, SwitchProxy can do a number of things. It can automatically clear your Cookies and it can reload the page that you were using through the new proxy. These behaviors are controlled by the check boxes displayed.

You should choose "Clear my cookies" when reloading a proxy, as some sites might be able to correlate your previous IP address with a cookie. Reloading the page automatically when you change a proxy will ensure there no is communication still taking place through the old proxy settings.

You manage the core of SwitchProxy's functionality with the last button, "Manage Proxies". If you click this button you can add, edit and remove proxies.

Adding a Basic Proxy

Let's add a proxy to SwitchProxy. To do this, we need to first choose "Manage Proxies" above. The "Mange Proxies" window appears:

above. The "Mange Proxies" window appears: If you had other proxies already configured inside

If you had other proxies already configured inside SwitchProxy, they would be displayed here. To add a new proxy, click "Add":

Choosing Standard allows you set up a proxy for Web browsing, uploading files, and other

Choosing Standard allows you set up a proxy for Web browsing, uploading files, and other typical actions. This is useful for accessing servers that might be blocked.

SwitchProxy also offers an Anonymous option; however, this option is misnamed because it does not guarantee anonymity. It simply allows the use of multiple proxies with frequent switching among them.

Standard Proxy Settings

with frequent switching among them. Standard Proxy Settings You need to know the settings for the

You need to know the settings for the proxy you wish to add. This can be quite a lot of information depending on what type of access you require and how the proxy manages that type of access.

Ideally, you should already know the settings for the proxies you want to try to use with SwitchProxy. For purposes of example, we will find a public proxy from the "Public Proxy Servers" web site (http://www.publicproxyservers.com) and add it to SwitchProxy. (We have no information about who operates these proxies, so we don't really know how trustworthy they are.)

First, on the Public Proxy Servers main page, we choose "proxy list [1]" from the left-hand navigation panel (http://www.publicproxyservers.com/page1.html). We then see a list:

). We then see a list: We'll enter the IP (in this case, 88.255.50.114) and

We'll enter the IP (in this case, 88.255.50.114) and Port (in this case, 80) information from the list into the first fields of the Standard configuration window:

You can give each proxy a label (we are using "Pub Proxy" in the example).

You can give each proxy a label (we are using "Pub Proxy" in the example). This is all you need to do to set up this proxy. If you want to set up the proxy for other types of access (SSL, FTP, Gopher or Socks), you would need to continue filling out the details in the other fields. Usually the port and IP settings are the same, so you would use the same details for each type of access required.

Note:

1. Many proxies only offer HTTP (Web browsing) access. If you want to use a proxy for other types of Internet use, you can try it to see if it works.

2. Many open proxies only work for a few hours at a time, so be prepared to switch among several to find one that is working.

3. The settings are only used by the Firefox browser using SwitchProxy. If you open another browser or use another type of application (for example, an FTP client), it does not have access to the SwitchProxy settings.

After you enter the details, click "OK" to save the settings. The "Manage Proxies" window appears again:

settings. The "Manage Proxies" window appears again: Click "OK" again to close this window and save

Click "OK" again to close this window and save the new proxy to your list. It is important to note that these proxy settings are not active until you make the proxy active through SwitchProxy.

Adding a list of proxies for automated switching

SwitchProxy also allows you to create a list of proxies and to set an interval for automatically switching between them. This option is confusingly referred to as "Anonymous" proxy configuration, though, in reality, it does not guarantee anonymity.

If you decide to use this feature, you can set the proxy list yourself. It will be a plain text file with a format like this:

193.147.162.166:3124

133.1.74.162:3124

130.75.87.83:3124

128.112.139.80:3128

128.112.139.80:3124

72.36.112.74:3124

199.26.254.65:3124

The format of each line is simply

IP address:Port number

It is important to place the colon between the two numbers and not to include "http://" before the IP address of the proxy. Each proxy must be on a separate line and the file must be formatted as a text file (sometimes called a .txt file) and not a word processor file (such as a Microsoft Word .doc file or OpenOffice .odt file).

There are also services online that provide public proxy lists compatible with this feature. Although these services are themselves blocked in some places, you may be able to find useful public proxy lists through a Web search.

For instance, a quick search for "switchproxy anonymous proxy lists" in Google recently led to this site:

http://www.shroomery.org/ythan/proxylist.php. This service, provided by someone with an interest in this area (apparently an amateur, not a commercial service) takes a list of proxies from XROXY (http://www.xroxy.com/proxylist.php?type=Anonymous) and formats the list so that SwitchProxy can use it.

You can add any of these lists -- a list you produce, or an online list -- to SwitchProxy's configuration as a set of "Anonymous" proxies. To do this, choose the "Anonymous" settings option instead of the "Standard" configuration setting.

instead of the "Standard" configuration setting. Click "Next >>" and the settings window

Click "Next >>" and the settings window appears:

Click "Next >>" and the settings window appears: Adding a list of proxies for automated switching

To use the online list, simply enter the URL of the list into the Url field and click "Load". To add a list you have created you must click "Browse" next to the File field, select the file from your computer's hard drive and then click "Load". Don't forget to give the list a name (or "Label"). For example, using the online list mentioned in the example above gave this result after clicking "Load":

above gave this result after clicking "Load": Now you must choose the interval for cycling through

Now you must choose the interval for cycling through the proxies. Intervals for automatic switching in SwitchProxy are represented in seconds, so if you want to set an interval of 3 minutes, you would type "180" into the "Change proxy every[ ]" field. After you click "OK", the window closes and SwitchProxy saves your new proxy list:

the window closes and SwitchProxy saves your new proxy list: Using SwitchProxy To use the proxies

Using SwitchProxy

To use the proxies you have saved, just click the "Tools" menu in Firefox:

Selecting "SwitchProxy", you should see a list of proxies you have already configured. Selecting one

Selecting "SwitchProxy", you should see a list of proxies you have already configured. Selecting one of them activates that proxy item. To use no proxies choose "None".

Disadvantages and Risks

Using a public application proxy does not guarantee that you will be anonymous. Whenever you use any proxy, you are trusting the operator of the proxy not to reveal or abuse information about you or how you use the proxy.

Your communications with the proxy can also be observed by a network operator. If you visit a Web site on different occasions using the same computer, for instance, the site can potentially recognize you as the same person by using mechanisms like cookies -- even if you use different proxy settings for each visit.

Although Tor provides a local application proxy, you should not use SwitchProxy to activate Tor. Use Torbutton instead. Torbutton protects you against a variety of potential privacy risks (such as DNS leaks) that SwitchProxy does not.

Tor - The Onion Router

Tor (The Onion Router) is a very sophisticated network of proxy servers.

When you are using Tor to access a Web site, your communications are randomly routed through a network of independent, volunteer proxies. All the traffic between Tor servers (or relays) is encrypted, and each of the relays knows only the IP address of two other relays -- the one immediately previous to it and the one immediately after it in the chain.

to it and the one immediately after it in the chain. This makes it very difficult

This makes it very difficult for:

your ISP to know what your target Web site is or what information you are sending

the target Web site to know who you are (at least, to know your IP address)

any of the independent relays to know who you are and where you go

What do I need to use the Tor network?

To connect to the Internet through the Tor network and use it for anonymity and circumvention, you need to install the Tor client software on your computer. (It is also possible to run a portable version of the program from a memory stick or other external device.)

Tor is compatible with most versions of Windows, Mac OS X and GNU/Linux.

With what software is Tor compatible?

Tor uses a SOCKS proxy interface to connect to applications, so any application that supports SOCKS (versions 4, 4a and 5) can be anonymized using Tor, including:

most Web browsers

many instant messaging and IRC clients

SSH clients

e-mail clients

If you installed Tor from the Tor Bundle, Browser Bundle or IM Browser Bundle, Tor also configured an http application proxy as a frontend to the Tor network. This will allow some applications that do not support SOCKS to work with Tor.

If you are mostly interested in using Tor for Web surfing and chatting, you may find it easiest to use the Tor Browser Bundle or the Tor IM Browser Bundle which will provide you with ready-to-use pre-configured solutions. The Tor browser bundle also includes Torbutton, which improves privacy protection when using Tor with a Web browser. Both versions of Tor can be downloaded at http://www.torproject.org/torbrowser/index.html.en.

Advantages and Risks

Tor can be a very effective tool for circumvention and protecting your identity. Tor's encryption hides the contents of your communications from your local network operator, and conceals whom you are communicating with or what Web sites you're viewing. When used properly, it provides significantly stronger anonymity protection than a single proxy.

But Tor is vulnerable to blocking. Most Tor nodes are listed in a public directory, so it is easy for network operators to access the list and add the IP addresses of nodes to a filter. (One way of attempting to get around this kind of blocking is to use one of several Tor bridges, which are Tor nodes not publicly listed, specifically to avoid blocking.)

Some programs you might use with Tor have problems that can compromise anonymity.

Also, if you're not using additional encryption to protect your communications, your data will be unencrypted once it reaches the last Tor node in the chain (called an exit node). This means that your data will be potentially visible to the owner of the last Tor node and to the ISP between that node and your destination Web site.

The developers of Tor have thought a lot about these and other risks and offer three warnings:

1. Tor does not protect you if you do not use it correctly. Read the list of warnings here:

http://www.torproject.org/download.html.en#Warning, and then make sure to follow the instructions for your platform carefully: http://www.torproject.org/documentation.html.en#RunningTor

2. Even if you configure and use Tor correctly, there are still potential attacks that could compromise Tor's

3. No anonymity system is perfect these days, and Tor is no exception: you should not rely solely on the

current Tor network if you really need strong anonymity.

Using Tor Browser Bundle

The Tor Browser Bundle lets you use Tor on Windows without requiring you to configure a Web browser. Even better, it's also a portable application that can be run from a USB flash drive, allowing you to carry it to any Windows PC without installing it on each computer's hard drive.

Downloading Tor Browser Bundle

You can download the Tor Browser Bundle from the torproject.org Web site, either as a single file (13MB) or

a "split" version that is multiple files of 1.4 MB each. If your Internet connection is slow and unreliable, the split version may work better than trying to download one very large file.

If the torproject.org Web site is filtered from where you are, type "tor mirrors" in your favorite Web search

engine: The results probably include some alternative addresses to download the Tor Browser Bundle.

Caution: When you download Tor Bundle (plain or split versions), you should check the signatures of the files, especially if you are downloading the files from a mirror site. This step ensures that the files have not been tampered with. To learn more about signature files and how to check them, read https://wiki.torproject.org/noreply/TheOnionRouter/VerifyingSignatures

(You can also download the GnuPG software that you will need to check the signature here:

The instructions below refer to installing Tor Browser on Microsoft Windows. If you are using a different operating system, refer to the torproject.org website for download links and instructions.

Installing from a single file

1. In your Web browser, enter the download URL for Tor Browser:

In your Web browser, enter the download URL for Tor Browser: https://www.torproject.org/torbrowser/ 2. Click the link

2. Click the link for your language to download the installation file.

3. Double-click the .EXE file you just downloaded. A "7-Zip self-extracting archive" window appears.

4. Choose a folder into which you want to extract the files and click "Extract".

4. Choose a folder into which you want to extract the files and click "Extract".

Note: You can choose to extract the files directly onto a USB key or memory stick if you want to use Tor Browser on different computers (for instance on public computers in Internet cafés).

5. When the extraction is completed, open the folder and check that the contents match the image below:

folder and check that the contents match the image below: 6. To clean up, delete the

6. To clean up, delete the .EXE file you originally downloaded.

Installing from split files

1. In your Web browser, enter the URL for the split version of the Tor Browser Bundle (https://www.torproject.org/torbrowser/split.html), then click the link for your language to get to a page that looks like the one for English below:

2. Click each file to download it (one ending in ".exe" and nine others ending

2. Click each file to download it (one ending in ".exe" and nine others ending in ".rar"), one after the other, and save them all in one folder on your hard drive.

3. Double-click the first part (the file whose name ends in ".exe"). This runs a program to gather all the

in ".exe"). This runs a program to gather all the parts together. 4. Choose a folder

parts together.

4. Choose a folder where you want to install the files, and click "Install". The program displays messages about its progress while it's running, and then quits.

5. When the extraction is completed, open the folder and check that the contents match the image below:

folder and check that the contents match the image below: 6. To clean up, delete all

6. To clean up, delete all the files you originally downloaded.

Using Tor Browser

Before you start:

Close Firefox. If Firefox is installed on your computer, make sure it is not currently running.

Close Tor. If Tor is already installed on your computer, make sure it is not currently running.

Launch Tor Browser:

In the "Tor Browser" folder, double-click "Start Tor Browser". The Tor control panel ("Vidalia") opens and Tor starts to connect to the Tor network.

opens and Tor starts to connect to the Tor network. When a connection is established, Firefox

When a connection is established, Firefox automatically connects to the TorCheck page and then confirms if you are connected to the Tor network. This may take some time, depending on the quality of your Internet connection.

If you are connected to the Tor network, a green onion icon appears in the

If you are connected to the Tor network, a green onion icon appears in the System Tray on the lower-right-hand corner of your screen:

System Tray on the lower-right-hand corner of your screen: Browsing the Web using Tor Browser Try

Browsing the Web using Tor Browser

Try viewing a few Web sites, and see whether they display. The sites are likely to load more slowly than usual because your connection is being routed through several relays.

If this does not work

If the onion in the Vidalia Control Panel never turns green or if Firefox opened, but displayed a page saying "Sorry. You are not using Tor", as in the image below, then you are not using Tor.

You are not using Tor", as in the image below, then you are not using Tor.

If you see this message, close Firefox and Tor Browser and then repeat the steps above. You can perform this check to ensure that you are using tor, at any time by clicking the bookmark button labelled "TorCheck at "

Xenobite

in the Firefox toolbar.

If Firefox browser does not launch, another instance of the browser may be interfering with Tor Browser. To fix this:

1. Open the Windows Task Manager. How you do this depends on how your computer is set up. On most systems, you can right-click in the Task Bar and then click "Task Manager".

2. Click the "Processes" tab.

3. Look for a process in the list named "firefox.exe".

4. If you find one, select the entry and click "End Process".

5. Repeat the steps above to launch Tor Browser.

If Tor Browser still doesn't work after two or three tries, Tor may be partly blocked by your ISP and you should try using the bridge feature of Tor.

Alternatives

There are two other projects that bundle Tor and a browser:

XeroBank, a bundle of Tor with Firefox (http://xerobank.com/xB_Browser.php)

OperaTor, a bundle of Tor with Opera (http://archetwist.com/en/opera/operator)

Using Tor IM Browser Bundle

The Tor IM Browser Bundle is similar to the Tor Browser Bundle, but offers you access to the Pidgin multi-protocol Instant Messaging client, so you can chat encrypted over your favourite Instant Messenger protocol like ICQ, MSN Messenger, Yahoo! Messenger or QQ which may be filtered.

MSN Messenger, Yahoo! Messenger or QQ which may be filtered. You can learn more about Pidgin

You can learn more about Pidgin here: http://www.pidgin.im/

Download Tor IM Browser Bundle

You can download the Tor IM Browser Bundle directly from the Tor Web site (20MB) at https://www.torproject.org/torbrowser/

Web site (20MB) at https://www.torproject.org/torbrowser/ (If your Internet connection is slow or unreliable, y ou

(If your Internet connection is slow or unreliable, you can also get a split up version on the torproject.org Web site at https://www.torproject.org/torbrowser/split.html).

If the torproject.org Web site is filtered from where you are, type "tor mirrors" in

If the torproject.org Web site is filtered from where you are, type "tor mirrors" in your favorite Web search engine: the results probably include some alternative addresses to download the Tor Browser Bundle.

Caution: When you download Tor Bundle (plain or split versions), you should check the signatures of the files, especially if you are downloading the files from a mirror site. This step ensures that the files have not been tampered with. To learn more about signature files and how to check them, read https://wiki.torproject.org/noreply/TheOnionRouter/VerifyingSignatures

(You can also download the GnuPG software that you will need to check the signature here:

Auto-extract the archive

To get started, double-click the .EXE file you just downloaded.

You should see the window below:

file you just downloaded. You should see the window below: • Choose a folder into which

Choose a folder into which you want to extract the files. If you are not sure leave the default value untouched. Then click "Extract".

Note: You can choose to extract the files directly onto a USB key or memory stick if you want to use Tor Browser on different computers (for instance on public computers in Internet cafés).

When the extraction is completed, open the newly-created folder and check that it looks like the image below (note the "PidginPortable" folder):

the image below (note the "PidginPortable" folder): • You can now safely delete the ".exe" file

You can now safely delete the ".exe" file you originally downloaded (or the several ".rar" and ".exe" files if you used the split version).

Using Tor IM Browser Bundle

Before you start:

Close Firefox. If the Firefox browser is installed on your computer, make sure it is not currently running.

Close Tor. If Tor is already installed on your computer, make sure it is not currently running.

Launch Tor IM Browser:

In the "Tor Browser" folder, double-click "Start Tor Browser". The Tor control panel ("Vidalia") opens and Tor connects to the Tor network.

opens and Tor connects to the Tor network. When a connection is established: Auto-extract the archive

When a connection is established:

A Firefox browser window pops up and connects to the TorCheck page, which should show a green onion that confirms you that you are connected to the Tor network.

A Pidgin assistant window (below) pops up inviting you to set up your IM account on Pidgin.

pops up inviting you to set up your IM account on Pidgin. You will also see

You will also see the Tor icon (a green onion if you are connected) and a Pidgin icon appear in the System Tray on the lower-right-hand corner of your screen:

System Tray on the lower-right-hand corner of your screen: Set up your IM account in Pidgin

Set up your IM account in Pidgin

You can set up your IM account in the Pidgin window. Pidgin is compatible with most major IM services (AIM, MSN, Yahoo!, Google Talk, Jabber, XMPP, ICQ, and others):

MSN, Yahoo!, Google Talk, Jabber, XMPP, ICQ, and others): To learn more on how you can

To learn more on how you can use Pidgin, read:

If this does not work

If the onion in the Vidalia Control Panel doesn't turn green or if Firefox opens,

If the onion in the Vidalia Control Panel doesn't turn green or if Firefox opens, but displays a page saying "Sorry. You are not using Tor", then you should:

Exit Vidalia and Pidgin (see below for details).

Relaunch Tor IM Browser following the steps above ("Using Tor IM Browser Bundle").

If Tor Browser still doesn't work, after two or three tries, Tor may be partly blocked by your ISP. Refer to the "Using Tor with Bridges" chapter of this manual and try again, using the bridge feature of Tor.

Exit Tor IM Browser

To exit the Tor IM Browser you need to:

Exit Vidalia by right-clicking on the onion icon in your tray bar and choose "Exit" in the Vidalia contextual menu.

and choose "Exit" in the Vidalia contextual menu. • Exit Pidgin by right clicking on the

Exit Pidgin by right clicking on the Pidgin icon in your tray bar and choose "Quit" in the Pidgin contextual menu

When the Vidalia onion icon and the Pidgin icon have disappeared from the Windows System

When the Vidalia onion icon and the Pidgin icon have disappeared from the Windows System Tray in the lower-right-hand corner of your screen, Tor IM Browser is closed.

the Windows System Tray in the lower-right-hand corner of your screen, Tor IM Browser is closed.

Using Tor with Bridges

If you suspect your access to the Tor network is being blocked, you may want to use the bridge feature of Tor. The bridge feature was created specifically to help people use Tor from places where access to the Tor network is blocked. (You must already have successfully downloaded and installed the Tor software to use a bridge.)

What is a bridge?

Bridge relays (or "bridges" for short) are Tor relays that aren't listed in the main public Tor directory. This is

a deliberate measure to stop these relays from being blocked. Even if your Internet service provider is filtering connections to all the publicly known Tor relays, it may not be able to block all the bridges.

Where do I find bridges?

To use a bridge, you need to locate one and add its information in your network settings. Send an e-mail from

a Gmail account to bridges@torproject.org with the line "get bridges" -- by itself -- in the body of the mail.

get bridges " -- by itself -- in the body of the mail. Almost instantly, you

Almost instantly, you will receive a reply that includes information about a few bridges:

Important Notes: 1. You must use a Gmail account to send the request. If torproject.org

Important Notes:

1. You must use a Gmail account to send the request. If torproject.org accepted requests from other mail accounts, an attacker could easily create a lot of email addresses and quickly learn about all the bridges. If you do not have a Gmail account already, creating one takes only a few minutes.

2. It is generally recommended to use Gmail with a secure SSL connection at "https://mail.google.com", rather than the unencrypted URL "http://mail.google.com/". On the Gmail settings page you can make HTTPS the default, in case you forget to use the https: prefix.

3. If you are on a slow Internet connection you can use the URL https://mail.google.com/mail/h/ for a direct access to the basic HTML version of Gmail.

Turn on bridging and enter bridge information

After you get addresses for some bridge relays, you must configure Tor with whatever bridge address you intend to use:

1. Open the Tor control panel (Vidalia).

Tor with whatever bridge address you intend to use: 1. Open the Tor control panel (Vidalia).

2.

Click "Settings". A "Settings" window opens.

Click "Settings". A "Settings" window opens. 3. Click "Network". 4. Select "My Firewall only

3. Click "Network".

4. Select "My Firewall only lets me connect to certain ports" and "My ISP blocks Connections to the Tor network".

5. Enter the bridge URL information you received by e-mail in the "Add a Bridge" field.

6. Click the green "+" on the right side of the "Add a Bridge" field. The URL is added to the box below.

a Bridge" field. The URL is added to the box below. 7. Click "OK" at the

7. Click "OK" at the bottom of the window to validate your new settings.

at the bottom of the window to validate your new settings. 8. In the Tor control

8. In the Tor control panel, stop and restart Tor to use your new settings.

Note:

Add as many bridge addresses as you can. Additional bridges increase reliability. One bridge is enough to reach the Tor network, however, if you have only one bridge and it gets blocked or stops operating, you will be cut off from the Tor network until you add new bridges.

To add more bridges in your network settings, repeat the steps above with the information on the additional bridges that you got from the bridges@torproject.org e-mail message.

About JonDo

JonDo is a proxy tool similar to Tor which can be used to bypass Internet censorship. It was invented in 2000 as a German university project called Java Anon Proxy (JAP) and now offers both free and commercial services. The free servers only offer the speed of an analog modem whereas the commercial service offers higher speed for about 10 US Dollars for 1 GB of traffic. The Java client runs on Linux, Mac OS and Windows.

Like Tor, JonDo's main purpose is to provide anonymity for users when visiting Web sites. Like Tor, it works by sending traffic through several independent servers.

Installation

To use the JonDo network you need to download the JonDo client for your operating system from https://www.jondos.de/en/download. For either Linux and Mac OS X there is a single download option (6 MB).

For Windows however, there are three different possibilities:

The standard desktop installer which has Java included (about 15MB)

A PortableApps version also with Java included which can be run from a USB flash drive for use at Internet cafés or other shared computers (about 20MB)

The minimal three-file download necessary to run JonDo without the installer and Java: It consists of the files http://anon.inf.tu-dresden.de/develop/jap.exe, http://anon.inf.tu-dresden.de/develop/japdll.dll and http://anon.inf.tu-dresden.de/jap/JAP.jar (in total about 6MB).

Choose a download depending on your experience, intended use and speed of your Internet connection. To install the JonDo client you just have to click on the downloaded file and follow the simple instructions.

Configuration and Usage

When you first start JonDo you see a window where you can choose between the languages English, German, Czech, Dutch, French and Russian.

languages English, German, Czech, Dutch, French and Russian. On the next screen, you will see a

On the next screen, you will see a notice that you have to configure your Web browser to use the JonDo proxy tool. Click on the name of your browser and follow the instructions you get.

Now take the first step to check if you configured your browser correctly. Switch anonymity

Now take the first step to check if you configured your browser correctly. Switch anonymity to "Off" in the JonDo main window and then open a Web site with the browser you just configured.

then open a Web site with the browser you just configured. If JonDo shows you a

If JonDo shows you a warning and you have to choose "Yes" to view the Web site everything is configured properly and you can choose "The warning is shown. Websurfing is possible after confirmation". If any other description applies to you, choose it and the Installation assistant will give you more information on how to solve the problem.

will give you more information on how to solve the problem. Now take the second step

Now take the second step to ensure a proper configuration: switch anonymity to "On" in the main JonDo window and again open a random Web site with the browser you configured.

If the Web site loads, everything is fine and you can click " Connection established,

If the Web site loads, everything is fine and you can click "Connection established, websurfing is fine". If another description applies to you choose that one and the Installation assistant will help you solve the problem.

the Installation assistant will help you solve the problem. Now the configuration is almost done. You

Now the configuration is almost done. You are already browsing through the JonDo network. However, you should configure your Web browser so that it doesn't leak any information. This again is explained when you click on the name of your Web browser.

is explained when you click on the name of your Web browser. Now choose the options

Now choose the options you want to see in the JonDo client based on your computer experience.

Inexperienced users should choose "Simplified view".

Inexperienced users should choose "Simplified view". If the standard JonDo servers are already blocked in your

If the standard JonDo servers are already blocked in your country, you should try the anti-censorship option. Click on "Config" in the main JonDo window and select the "network" tab. There click on "Connect to other JAP/JonDo users in order to reach the anonymization service". Read the warning and confirm it by clicking

"Yes".

the anonymization service ". Read the warning and confirm it by clicking " Yes ". Configuration

What are VPN and Tunneling?

VPN (virtual private network) and tunneling are techniques that allow you to encrypt the data connections

between yourself and another computer. This computer might belong to your organization, a trusted contact or

a commercial VPN service. Tunneling encapsulates a specific stream of data within an encrypted protocol,

making everything that travels through the tunnel unreadable to anyone along the way. VPNs are very commonly used by corporations to allow employees who need access to sensitive financial or other information to access the companies' computer systems from home or other remote locations over the Internet.

Using a VPN or other kinds of tunnels to encrypt your information can be a good way of ensuring it is not seen by anyone but yourself and people you trust. It has the additional effect of making all your different kinds of traffic look similar to an eavesdropper or to a system that is trying to block your traffic. Since many international companies use VPN technology, it is not very likely to be blocked.

These techniques create a tunnel from your computer to another computer somewhere on the Internet. Your data can travel through this tunnel and then continue to a final destination on the Web. The integrity and privacy of the traffic inside the tunnel are protected by encryption.

the traffic inside the tunnel are protected by encryption. If the tunnel ends outside the area

If the tunnel ends outside the area where the Internet is being restricted, this can be an effective method of circumvention, since the filtering entity/server sees only encrypted data, and has no way of knowing what data is passing through the tunnel.

It is important to note that the data is only encrypted as far as the end of the tunnel, and then travels

unencrypted to its final destination. If, for example, you set up a tunnel to a commercial VPN provider, and then request the Web page news.bbc.co.uk through the tunnel, the data will be encrypted from your computer to the VPN provider's computer at the other end, but from there it will be unencrypted to the servers run by the BBC, just like normal Internet traffic. This means that the VPN provider, the BBC and anyone with control over a system between these two servers, will, in theory, be able to see what data you have requested.

Tunneling

The main difference between a VPN connection and a tunnel is that a VPN system is set up in such a way that

it encrypts all data from your computer to the Internet, while a tunnel is set up to encrypt only traffic from

specific applications, either based on the port numbers they use or by requiring you to specify which tunnel to use within each application. Unlike a VPN, tunnels require each application, such as a Web browser, e-mail client or Instant Messaging program, that needs to use the encrypted tunnel, to be configured individually to

use the tunnel. Significantly, not all applications are capable of being passed through common types of tunnels. Most Voice over IP (VoIP) systems, for example, use the UDP protocol, which is not supported in many common tunneling systems. Also, some common applications such as the Opera web browser do not have built-in support for SOCKS proxies which are the most common type of tunneling software. In this case you have to use an extra a